Every certificate known to CT issued by PROCERT with a notBefore date after September 30, 2016 has what appears to be a non-random serial number: https://crt.sh/?Identity=%25&iCAID=750
1e:4d:94:48:00:00:00:00:0c:79 2f:84:26:06:00:00:00:00:0b:1b 3d:94:73:d1:00:00:00:00:0a:ab 4b:53:8c:18:00:00:00:00:09:db 4c:94:f1:d5:00:00:00:00:0a:bd 4c:f3:00:86:00:00:00:00:0a:c0 4d:a7:2c:6a:00:00:00:00:0a:c3 4e:11:32:b3:00:00:00:00:0a:c7 6f:d3:c3:24:00:00:00:00:0c:56 7b:33:8f:17:00:00:00:00:0c:96 7b:98:a8:b1:00:00:00:00:0c:97 11:bb:b9:9f:00:00:00:00:0b:af 14:e9:6d:a4:00:00:00:00:0a:fa 16:8e:a3:9d:00:00:00:00:0b:f5 17:93:5a:4f:00:00:00:00:09:a6 17:96:d7:b8:00:00:00:00:09:a7 18:94:8a:f4:00:00:00:00:09:5a 18:98:dc:bb:00:00:00:00:09:5b 35:ce:d9:af:00:00:00:00:0c:02 43:ed:d4:a7:00:00:00:00:0a:b1 51:33:c5:60:00:00:00:00:0a:36 62:fa:e6:81:00:00:00:00:08:ad 69:4d:2f:c1:00:00:00:00:08:b4 76:81:87:9b:00:00:00:00:0b:65 In addition, their OCSP responder is returning a status of "Good" for adjacent serial numbers, suggesting sequential assignment of serial numbers. This violates section of 7.1 of the BRs, which state: "Effective September 30, 2016, CAs SHALL generate non-sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG." I have not reported this to PROCERT since their problem reporting mechanism is a link to a non-English web page. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
