Scott, On Tue, Feb 26, 2019 at 3:21 AM Scott Rea via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> G’day folks, > > we appreciate the many suggestions made on the list to strengthen the > entropy of random serialNumbers. > > One challenge we face currently is that our platform (which does support > higher entropy) but only supports this at a global level. So if we make a > global change, then ALL our CAs will use the larger serialNumbers and this > would have an impact for example on CAs which are in completely different > hierarchies to those used for Public Trust to have to also adopt the change > (and for CA’s used for constrained environments e.g. IoT, the size of each > extension has an impact). > > However, we have been working with our platform provider and can now > report that effective beginning of next week, DarkMatter will move to using > random 128-bit serial numbers for all our Public Trust certificates. > > The remaining question is what should be done if anything about existing > certificates with 64-bit serialNumbers? > > I assume you are referring to those certificates containing a serial number with effectively 63-bits of entropy? They are misissued. BR section 4.9.1.1 provides guidance. Mozilla provides further guidance here: https://wiki.mozilla.org/CA/Responding_To_An_Incident _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy