On Mon, Mar 11, 2019 at 5:35 PM Buschart, Rufus via dev-security-policy < [email protected]> wrote:
> Since choice 1 is a logical consequence of "containing 64 bits of random > data", I was always under the impression, that choice 2 was meant by the > BRGs. If choice 1 is meant, then I think the requirement of being > 'non-sequential' is just some lyrical sugar in the BRGs. Maybe there is a > third definition of "sequential" that I haven't thought of? > I had definitely seen it as lyrical sugar, trying to *really* hammer the point of concern (of predictable serials). This is an example where providing guidance in-doc can lead to more confusion, rather than less. For example, a "confused" reading of the BR requirement would say "at least 64-bits of entropy" by generating a random number once [1] and including it in all subsequent serials, monotonically increasing +1 each time :) [1] https://xkcd.com/221/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
