Dimitris Zacharopoulos via dev-security-policy <[email protected]> writes:
>If we have to count every CA that had this interpretation, then I suppose all >CAs that were using EJBCA with the default configuration have the same >interpretation. There's also an unknown number of CAs not using EJBCA that may have even further interpretations. For example my code, which I'll point out in advance has nothing to do with the BR and predates the existence of the CAB Forum itself, may or may not be compliant with whatever Mozilla's interpretation of 7.1 is. I literally have no idea whether it meets Mozilla's expectations. It doesn't do what EJBCA does, so at least it's OK there, but beyond that I have no idea whether it does what Mozilla wants or not. I assume any number of other CAs are in the same position, and given that if they guessed wrong they have to revoke an arbitrarily large number of certs, it's in their best interests to keep their heads down and wait for this to blow over. So perhaps instead of trying to find out which of the hundreds of CAs in the program aren't compliant, we can check which ones are. Would any CA that thinks it's compliant let us know, and indicate why they think they're compliant? For example "we take 64 bits of CSPRNG output, pad it with a leading <whatever>, and use that as the serial number", in other words what Matthew Hardeman suggested, would seem to be OK. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
