On Saturday, March 9, 2019 at 5:15:50 PM UTC-7, Wayne Thayer wrote: > On Sat, Mar 9, 2019 at 12:49 PM Dimitris Zacharopoulos via > dev-security-policy <[email protected]> wrote: > > > > > The question I'm having trouble answering, and I would appreciate if > > this was answered by the Mozilla CA Certificate Policy Module Owner, is > > > > "does Mozilla treat this finding as a violation of the current language > > of section 7.1 of the CA/B Forum Baseline Requirements"? > > > > > Speaking as the CA Certificate Policy Module Owner, and being aware of the > discussions that led to the current wording, I believe the intent of the BR > language is for serial numbers to contain 64-bits of entropy. I certainly > agree that the language could be improved, but I think the meaning is clear > enough and yes I do expect CAs to treat serial numbers that do not actually > consist of 64-bits of entropy as a BR and a Mozilla policy section 5.2 > violation. > > I believe answering this question would bring some clarity to the > > participating CAs. > > > > Thank you for pointing this out Dimitris. While it seems obvious to me, I > can understand if there is some uncertainty resulting from the opposing > arguments. > > - Wayne
When it comes entropy how does the industry feel about preceding zeros? There have been a few online and offline discussions around the requirement for the most significant bit to be set to (1). For example: 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 which results in an integer of 9223372036854775808. In my opinion, to achieve a full 64bits of serial number entropy we should not fix any of the bits. What are the thoughts on this? This following value also has 64bits but does not have the most significant bit set yet seems to meet the section 7.1 baseline requirements. 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 which results in an integer of 72057594037927936. In both cases the certificate field header lists the length of the serial number as 64bits. For GoDaddy, we will be moving to 128bit serial numbers to resolve this permanently. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
