On Thursday, August 10, 2017 at 11:27:53 AM UTC-5, Nick Lamb wrote:
> The truth is that there is no positive test for randomness, any work in this
> area is going to end up needing a judgement call, so I think inconveniencing
> the CAs even a small amount with such a policy change just to make automated
> testing easier isn't the right trade off. If there happens to be some future
> work in this policy area and the opportunity is taken to incorporate
> Jonathan's wording I have no problem with that, but I definitely don't think
> Mozilla should insist on it for its own sake.
Further to the point that Nick made, merely ensuring that the serial number
field is represented as at least eight bytes prior to DER encoding still does
not tell you whether or not the CA truly incorporated 64 bits of randomness in
the serial number versus, for example, packing together 32 bits of randomness
and 32 bits of sequence number.
dev-security-policy mailing list