On Sat, Mar 9, 2019 at 12:49 PM Dimitris Zacharopoulos via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> > The question I'm having trouble answering, and I would appreciate if > this was answered by the Mozilla CA Certificate Policy Module Owner, is > > "does Mozilla treat this finding as a violation of the current language > of section 7.1 of the CA/B Forum Baseline Requirements"? > > Speaking as the CA Certificate Policy Module Owner, and being aware of the discussions that led to the current wording, I believe the intent of the BR language is for serial numbers to contain 64-bits of entropy. I certainly agree that the language could be improved, but I think the meaning is clear enough and yes I do expect CAs to treat serial numbers that do not actually consist of 64-bits of entropy as a BR and a Mozilla policy section 5.2 violation. I believe answering this question would bring some clarity to the > participating CAs. > > Thank you for pointing this out Dimitris. While it seems obvious to me, I can understand if there is some uncertainty resulting from the opposing arguments. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy