> I think when it comes to specifications with cryptographic relevance (as > unpredictable serials are), less is more; the more inflexible and > unambiguous the spec is, the less likely it will be "creatively > interpreted" in a manner that bypasses the whole point. To someone with > crypto experience and an understanding of the intent, the current > language clearly means "take 64 bits from a CSPRNG once, put whatever > you want around them (or nothing), DER encode, and stuff it into the > serial field". But clearly some implementers interpreted this > differently, and here we are. > > That said, I do think the current exercise is, shall we say, bringing > out some interesting opinions on what an appropriate response to the > problem is. Statements such as: > > > There are no, and has never been any, 63 bit serial numbers created by > > EJBCA. > > ... lead me to significantly reduce my trust in those making them, and > their ability to correctly interpret security-critical standards in the > future. Not everyone gets things right the first time, but owning up to > problems, understanding the technical issue at hand, and accepting > responsibility is a basic tenet of earning community trust.
I'm sorry you feel that way, but here's the thing. EJBCA produces whatever length serial numbers you request from it, restricted to an even octet and within the span of 4 to 20. EJBCA set to produce 8 octet serial numbers will produce exactly 64 bit serial numbers, including the MSB. Are you suggesting that a logical behavior for a 8 octet serial number would be to produce a 9 octet serial number and pad the first 7 bits? EJBCA will produce exactly the serial number you've specified, and give you as much entropy as your serial length allows. EJBCA is a general CA implementation with multiple use cases, so it's not built to specifically conform to cabf requirements. As Ryan Sleevi pointed out - It is up to the end customer to understand their own requirements, and to understand that a 64 bit signed integer can in no way or fashion contain 64 bits of entropy. Unless you're going under the presumption that the MSB doesn't count as a part of the serial number (and I've never seen an RFC or requirement pointing to that being the case, EJBCA does not produce 63 bit serial numbers. Cheers, Mike _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
