On Tuesday, March 12, 2019 at 11:32:38 AM UTC-7, Ryan Sleevi wrote: > On Tue, Mar 12, 2019 at 2:22 PM Daymion Reynolds via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > The crux of the difference is in the DER format interpretation. The fact > > prefix (0)s do count for entropy, provided none of the bits are fixed and > > you have a minimum of 8 bytes in the serial. We discuss this in the Mozilla > > post on 3/11/2019. > > > > For the DER format the first two (0)s of the value is the positive sign of > > the integer. In our case if the un-signed integer value is 64bit and the > > most significant bit is set, two additional (0)s will be prepended to > > demonstrate a positive sign. In this case it will be 9bytes instead of > > 8bytes. Always a minimum of 8bytes (64bits) of entropy. You do still have > > to manage zero compression for integer values less than 72057594037927936, > > which will result in 7bytes instead of 8bytes. > > > > Just making sure I've got the right message - this is > https://groups.google.com/d/msg/mozilla.dev.security.policy/7WuWS_20758/9OKbI4xyCQAJ > correct? > > If viewing through groups' interface, you can click the arrow for "More > Message Actions" to copy link. > > To make sure I understand correctly, the statement is that GoDaddy > generated 64 bits of entropy prior to DER encoding. This resulted in some > serials that are exactly 8 octets (or even less, depending on leading zeros > and minimal encoding) and some serials that are 9 or more octets. > > The reduction from >1.8M certificates to 12K certificates is a statement > that only those 12K certificates lacked a 64-bit entropy contribution? And > possibly 273K certificates which GoDaddy does not consider issued, but > otherwise made committments to issue (such as logging a pre-cert)? > > To provide greater clarity about this incident, could you more fully > describe your serial number generation algorithm (potentially including > code or pseudo-code) that can help demonstrate how this system was > compliant?
It is an accurate statement to say that GoDaddy generates 64 full bits of entropy prior to the DER encoding. When these 64 bits are DER encoded, the result is either 8 or 9 octets written into the cert, depending on whether or not the most significant bit is a 0 (8 octets) or 1 (9 octets). In the case of 9 octets being written, the first octet is always “00” signifying the integer value is positive. It is worth noting: whether that extra “00” octet is present or not, there are always 64 randomly generated bits providing the needed entropy. RS - The reduction from >1.8M certificates to 12K certificates is a statement that only those 12K certificates lacked a 64-bit entropy contribution? DR – Yes, the 12k certs are only 7bytes or less and therefor do not meet the BRs. RS - possibly 273K certificates which GoDaddy does not consider issued, but otherwise made commitments to issue (such as logging a pre-cert)? DR - Yes, in most cases we logged a pre-cert prior to final issuance and turnover to the requested. We want to start revoking these certificates as they should be disposed of if not fully issued. 64bits_entropy = GetRandom64Bits() //This returns 64 random bits from a CSPRNG with at least one bit in the highest byte set to 1 CheckForDuplicate(64bits_entropy)//Verifies the serial is unique, otherwise repeat GetRandom64Bits() Cert.SetSerialNumber(64bits_entropy) //The ANS.1 encoding will either write this number as 8 or 9 octets. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
