For clarity, I pasted in current BR 7.1 below. Later sections of Sec. 7.1 refer separately to Root Certificates, Subordinate CA Certificates, and Subscriber Certificates (Sec. 7.1.2.1 through 7.1.2.3). So this proposal would apply to all three categories of certificates, correct?
If we adopt this, instead of starting “Effective April 1, 2016 ***” maybe we should say “For certificates generated on or after April 1, 2016 ***” to make it clear that certificates generated before that date do not need to be reissued. Also, is April 1 a little close for people to change their systems? 7. CERTIFICATE, CRL, AND OCSP PROFILES 7.1. CERTIFICATE PROFILE The CA SHALL meet the technical requirements set forth in Section 2.2 - Publication of Information, Section 6.1.5- Key Sizes, and Section 6.1.6 - Public Key Parameters Generation and Quality Checking. CAs SHOULD generate non‐sequential Certificate serial numbers that exhibit at least 20 bits of entropy. From: [email protected] [mailto:[email protected]] On Behalf Of Ben Wilson Sent: Friday, February 26, 2016 1:50 PM To: CABFPub Subject: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy For discussion: Pre-Ballot 164 - Certificate Serial Number Entropy -- Motion Begins -- In Section 7.1 of the Baseline Requirements, REPLACE "CAs SHOULD generate non-sequential Certificate serial numbers that exhibit at least 20 bits of entropy" WITH "Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater than zero (0) that contains at least 64 unpredictable bits." -- Motion Ends -- <table class="TM_EMAIL_NOTICE"><tr><td><pre> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. </pre></td></tr></table>
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
