On Fri, Feb 26, 2016 at 6:03 PM, Ryan Sleevi <[email protected]> wrote:
> Is there a reason for the change from "entropy" to "unpredictable bits" > > Would you be opposed to "64 bits of random data from a cryptographically > strong random number generator"? > > The concern I have with the language change is that while "entropy" is > arguably less ambiguous, I fear "unpredictable bits" will create a > situation where a CA says "No one knows our [deterministic] algorithm, > therefore it's unpredictable" > > I admit, I'm not terribly thrilled with my rewrite either, because I don't > think it should be required to use an RNG on an HSM, for example (that's > arguably overkill), but I do want to make sure that the source of entropy > is cryptographically strong (thus ruling out Microsoft's GUIDs, crappy > RNGs, etc) > I would prefer this proposal. It provides a specific thing that can be verified (whereas "entropy" and "unpredictable" are vague statistical properties). --Richard > > On Fri, Feb 26, 2016 at 1:49 PM, Ben Wilson <[email protected]> > wrote: > >> *For discussion:* >> >> *Pre-Ballot 164 - Certificate Serial Number Entropy* >> >> -- Motion Begins -- >> >> In Section 7.1 of the Baseline Requirements, >> >> REPLACE >> >> "CAs SHOULD generate non-sequential Certificate serial numbers that >> exhibit at least 20 bits of entropy" >> >> WITH >> >> "Effective April 1, 2016, CAs SHALL use a Certificate serialNumber >> greater than zero (0) that contains at least 64 unpredictable bits." >> >> -- Motion Ends -- >> >> >> >> _______________________________________________ >> Public mailing list >> [email protected] >> https://cabforum.org/mailman/listinfo/public >> >> > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
