On Wed, Mar 13, 2019 at 05:56:55AM +0900, Hector Martin 'marcan' via dev-security-policy wrote: > On 13/03/2019 05.38, Ryan Sleevi via dev-security-policy wrote: > > Note that even 7 bytes or less may still be valid - for example, if the > > randomly generated integer was 4 [1], you might only have a one-byte serial > > in encoded form ( '04'H ), and that would still be compliant. The general > > burden of proof would be to demonstrate that these certificates were > > generated with that given algorithm you described above. > > > > [1] https://xkcd.com/221/ > > Not only that, but, in fact, any attempt to guarantee certain properties > of the serial (such that it doesn't encode to 7 bytes or less) *reduces* > entropy.
The expected distribution when generating a random 64 bit integer and properly encoding that as DER is that: - about 1/2 integers require 9 bytes - about 1/2 integers require 8 bytes - about 1/512 integers require 7 bytes - about 1/131072 integers require 6 bytes - about 1/33554432 integers require 5 bytes - [...] That a serial is smaller than 8 bytes is not an indication that it doesn't contain enough entropy. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy