Hi Daymion, in [1] you said before: > For the DER format the first two (0)s of the value is the positive sign of > the integer. In our case if the un-signed integer value is 64bit and the most > significant bit is set, two additional (0)s will be prepended to demonstrate > a positive sign. In this case it will be 9bytes instead of 8bytes. Always a > minimum of 8bytes (64bits) of entropy. You do still have to manage zero > compression for integer values less than 72057594037927936, which will result > in 7bytes instead of 8bytes.
Implying that you were preventing an encoding shorter than 8 bytes by filtering values lower than 01 00 00 00 00 00 00 00 (which, by the way, is unnecesarily high to avoid compression as 80 00 00 00 00 00 00 suffices). But then you said: > RS - The reduction from >1.8M certificates to 12K certificates is a statement > that only those 12K certificates lacked a 64-bit entropy contribution? > DR – Yes, the 12k certs are only 7bytes or less and therefor do not meet the > BRs. Confirming that you were not filtering out serial numbers shorter than 8 bytes, which contradicts the previous. Can you please clarify?. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/S2KNbJSJ-hs/E7uzTWDDBwAJ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
