On Tue, Mar 12, 2019 at 4:23 PM Daymion Reynolds via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Tuesday, March 12, 2019 at 11:32:38 AM UTC-7, Ryan Sleevi wrote: > > On Tue, Mar 12, 2019 at 2:22 PM Daymion Reynolds via dev-security-policy > < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > The crux of the difference is in the DER format interpretation. The > fact > > > prefix (0)s do count for entropy, provided none of the bits are fixed > and > > > you have a minimum of 8 bytes in the serial. We discuss this in the > Mozilla > > > post on 3/11/2019. > > > > > > For the DER format the first two (0)s of the value is the positive > sign of > > > the integer. In our case if the un-signed integer value is 64bit and > the > > > most significant bit is set, two additional (0)s will be prepended to > > > demonstrate a positive sign. In this case it will be 9bytes instead of > > > 8bytes. Always a minimum of 8bytes (64bits) of entropy. You do still > have > > > to manage zero compression for integer values less than > 72057594037927936, > > > which will result in 7bytes instead of 8bytes. > > > > > > > Just making sure I've got the right message - this is > > > https://groups.google.com/d/msg/mozilla.dev.security.policy/7WuWS_20758/9OKbI4xyCQAJ > > correct? > > > > If viewing through groups' interface, you can click the arrow for "More > > Message Actions" to copy link. > > > > To make sure I understand correctly, the statement is that GoDaddy > > generated 64 bits of entropy prior to DER encoding. This resulted in some > > serials that are exactly 8 octets (or even less, depending on leading > zeros > > and minimal encoding) and some serials that are 9 or more octets. > > > > The reduction from >1.8M certificates to 12K certificates is a statement > > that only those 12K certificates lacked a 64-bit entropy contribution? > And > > possibly 273K certificates which GoDaddy does not consider issued, but > > otherwise made committments to issue (such as logging a pre-cert)? > > > > To provide greater clarity about this incident, could you more fully > > describe your serial number generation algorithm (potentially including > > code or pseudo-code) that can help demonstrate how this system was > > compliant? > > It is an accurate statement to say that GoDaddy generates 64 full bits of > entropy prior to the DER encoding. When these 64 bits are DER encoded, the > result is either 8 or 9 octets written into the cert, depending on whether > or not the most significant bit is a 0 (8 octets) or 1 (9 octets). In the > case of 9 octets being written, the first octet is always “00” signifying > the integer value is positive. It is worth noting: whether that extra > “00” octet is present or not, there are always 64 randomly generated bits > providing the needed entropy. > > RS - The reduction from >1.8M certificates to 12K certificates is a > statement that only those 12K certificates lacked a 64-bit entropy > contribution? > DR – Yes, the 12k certs are only 7bytes or less and therefor do not meet > the BRs. > > RS - possibly 273K certificates which GoDaddy does not consider issued, > but otherwise made commitments to issue (such as logging a pre-cert)? > DR - Yes, in most cases we logged a pre-cert prior to final issuance and > turnover to the requested. We want to start revoking these certificates as > they should be disposed of if not fully issued. > > > 64bits_entropy = GetRandom64Bits() //This returns 64 random bits from a > CSPRNG with at least one bit in the highest byte set to 1 > CheckForDuplicate(64bits_entropy)//Verifies the serial is unique, > otherwise repeat GetRandom64Bits() > Cert.SetSerialNumber(64bits_entropy) //The ANS.1 encoding will either > write this number as 8 or 9 octets. > Thanks Daymion! From what you've described, it does sound that this is exactly what CAs could/should have been doing, if they wanted the absolute minimum encoding of a serial. Note that even 7 bytes or less may still be valid - for example, if the randomly generated integer was 4 [1], you might only have a one-byte serial in encoded form ( '04'H ), and that would still be compliant. The general burden of proof would be to demonstrate that these certificates were generated with that given algorithm you described above. [1] https://xkcd.com/221/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
