> This going to require 19 randomly generated Base64 characters and that does > not include removing common confused characters which will drive up the > length a bit more, but if this is what the Mozilla risk assessment came up > with, > then we’ll all have to comply. I hope there is a sufficiently long time for > CAs to > change their processes and APIs and to roll out updated training and > documentation to their customers (for this unplanned change).
A reasonable transition period is reasonable. > 2) Trying to compute the entropy of a user generated password is nearly > impossible. According to NIST Special Publication 800-63, a good 20 character > password will have just 48 bits of entropy, and characters after that only > add 1 > bite of entropy each. User stink at generating Entropy (right Tim?) Yes, users struggle to generate a single bit of entropy per character. This is why users should not generate keys or passwords. An encoded CSPRNG can hit 5-6 bits of entropy per character, so 20 is a pretty good number for password lengths. Copy/paste solves most of the usability issues. There are some subtleties that require some care, but the general gist is right. -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy