Bonjour, Hodie IV Kal. Mar. MMVI est, Dr. Stephen Henson scripsit: [... about serial numbers ...] > Some CAs choose consecutive values, other what look like random values of > hashes. > > One commercial reason for not using consecutive values is that competitors can > work out how many certificates you've issued...
One good technical reason to choose "random" serial numbers was demonstrated by the a paper written by Lenstra, Wang, and Weger (http://eprint.iacr.org/2005/067). The point here is that if the attacker can "predict" the content of a certificate, he can carefully generate a public key so that the signature of a certificate can be used on another certificate with another identity and public key. This attack is based on flaws on MD5 demonstrated in summer 2004. SHA1 is now under attack, and until the SHA2 series is well understood by a large proportion of the installed software base, CAs are "forced" to use SHA1... See also: http://www.win.tue.nl/~bdeweger/CollidingCertificates/ The CA has the possibility to change the name of the issued certificate, by adding a random element (a kind of serial number), but this isn't usually well percieved (the customer always asks for clarification about this random stuff added to his identity), and it prevents an end-user to renew a certificate with the same exact identity (since this will render the counter-measure useless). The only logical, non disturbing, embedded place for some random data is the serial number. Several ways exists to make it random from the outside, and still make sure each serial number is unique among a CA. -- Erwann ABALEA <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
