On Fri, Mar 8, 2019 at 8:57 PM Peter Gutmann <[email protected]> wrote:
> Matthew Hardeman via dev-security-policy < > [email protected]> writes: > > >shall be 0x75 > > Not 0x71? > :-) In truth, I think any particular chosen single value for the first byte which has the high order bit set to 0 and is not 0x00, 0x01, or 0x7F is probably fine. 0x00 is avoided for obvious encoding reasons. 0x01 and 0x7F should be avoided as they seem likely to be the most common values people would utilize in that position when they have the goal of avoiding variable length. One of the benefits of choosing a particular fixed value for the entire first byte is that it creates a significant probability (127/128) that a random value (save for a fixed high order bit set to 0) in the first byte by a CA who hasn't updated their behavior to conform will be rapidly and obviously revealed. > Sounds good, and saves me having to come up with something (the > bitsort(CSPRNG64()) nonsense took enough time to type up). The only thing > I > somewhat disagree with is #3, since this is now very concise and requires > "the > first 64 bits of output" you can just make it a CSPRNG, which is well- > understood and presumably available to any CA, since it's a standard > feature > of all HSMs. I don't necessarily have strong opinions about it, but I did consider it and still came to the conclusion that it should be specified as a symmetric key generation operation. My reason for this change arises from my own experiences in a variety of languages and platforms on various hardware over the years. CSPRNG ought to be enough, but sometimes some environments will spoil a developer with choice. And if the developer isn't necessarily a cryptographer, they could easily choose the wrong type or initialize it incorrectly. Conversely, through the years various programming languages and runtime environments have gotten better and better about the default or most prevalent routines for key generation on those platforms. It is therefore belief that specifying the entropy source as a standardized symmetric key generation operation improves the odds that a less than expert developer will accidentally get it right. I kind of cringe at that idea, but I still think it deserves a look. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
