> Lastly, it was identified\discussed since we were STARTING with 64bits it was > acceptable. Therefore, GoDaddy was in compliance prior to 3/7. After this > discussion we changed back to the pre 3/7 configuration on 3/13.
Thanks for the additional explanation, greatly appreciated. >From looking at the data, I think there's an open question as to whether >GoDaddy was in compliance between those dates. This is essentially the mirror image of the issue with EJBCA - it was coercing the high bit to zero, thus losing one bit; GoDaddy (between 3/7 and 3/13) was coercing the high bit to one. As these serial numbers were 8 bytes (64 bits), plus one null byte (0x00) to provide the sign when DER encoded, forcing the high bit to one drops the number of randomly selected bits from 64 to 63, below what is specified by BR 7.1. Unfortunately, to me it looks like while trying to address a possible compliance issue, a compliance issue was introduced. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
