Man, Have you had a chance to do further research on the capabilities of your system? Our CA issues certificates with 32 hexadecimal characters for the serial number. There are 4 bits of entropy for each hexadecimal character. Therefore, our serial numbers have 128 bits of entropy and 16*32= 512 unpredictable bits. An 8-hexadecimal character serial number would have 32 bits of entropy and 128 unpredictable bits. A 20-bit entropy would be equal to 5 hexadecimal characters, or 80 unpredictable bits, so this seems like this is a downgrade to go to 64 unpredictable bits. Am I right?
Ben From: Man Ho (Certizen) [mailto:[email protected]] Sent: Wednesday, March 23, 2016 12:27 AM To: Ben Wilson <[email protected]>; [email protected] Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy Hi all, Is the meaning of "at least 64 unpredictable bits" setting the same or a higher requirement than "at least 20 bits of entropy" ? I'm not quite sure whether our certificate generation software has this setting in itself. Cheers Man On 3/1/2016 12:21 AM, Ben Wilson wrote: REPLACE "CAs SHOULD generate non-sequential Certificate serial numbers that exhibit at least 20 bits of entropy" WITH "Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater than zero (0) that contains at least 64 unpredictable bits."
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
