> The rule as written requires that the output bits have come from a CSPRNG. > But it doesn't say that they have to come from a single invocation of a > CSPRNG or that they have to be collected as a contiguous bit stream from the > CSPRNG with no bits of output from the CSPRNG discarded and replaced by > further invocation of the CSPRNG.
This reasoning has the potential to decrease the security that is provided by a requirement for a given minimum entropy and I'll try to illustrate my point better with the following fictional situation where the requirement would be something like this: > ... CAs SHALL generate non-sequential Certificate serial numbers greater than > zero (0) containing at least 8 bits of output from a CSPRNG. So we think that we can comply by generating serial numbers with exactly 1 byte fixed size as the requirement asks for 8 bits. Then we start generating serial number candidates, but we need to perform some filtering: 1. First, as we want to produce one byte constant length positive serial numbers we filter out values where the high-order bit is 1 and we are left with only 128 possible values. 2. Then, we filter out the 0 value and now we have 127 possible values to choose from. 3. Finally, we have to discard serial numbers assigned to previously issued certificates and let's say we've issued 126 certificates previously, so now we're left with only one possible serial number to choose from. And there it is, full predictability for the next serial number to be generated. Now, this is just an example but my point is that the interpretation that allowed for one byte fixed size serial numbers was a clear mistake in the context of this fictional requirement. Nevertheless, in real life we would be reducing 64 bits by just a little (e.g. to 63 bits), but anyway, the security is being reduced, maybe not enough to allow for a real attack... but there is a reduction. Finally, as I see it, CA's should ellaborate their serial numbers generation strategy guaranteeing that generated serial numbers at all times, now and in the future (after issuing many quadrillions of certificates), will always contain at least 64 bits of unfiltered entropy within them. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy