Ben: Are you sure your math is correct? A serial number is 20 bytes, with the high bit needing to be 1 (for the encoding of positive INTEGERS within DER). This leaves 159 bits for entropy. So you certainly can't have more unpredictable bits than that :)
On Thu, Apr 14, 2016 at 12:59 PM, Ben Wilson <[email protected]> wrote: > Man, > > Have you had a chance to do further research on the capabilities of your > system? Our CA issues certificates with 32 hexadecimal characters for the > serial number. There are 4 bits of entropy for each hexadecimal > character. Therefore, our serial numbers have 128 bits of entropy and > 16*32= 512 unpredictable bits. An 8-hexadecimal character serial number > would have 32 bits of entropy and 128 unpredictable bits. A 20-bit entropy > would be equal to 5 hexadecimal characters, or 80 unpredictable bits, so > this seems like this is a downgrade to go to 64 unpredictable bits. Am I > right? > > Ben > > > > *From:* Man Ho (Certizen) [mailto:[email protected]] > *Sent:* Wednesday, March 23, 2016 12:27 AM > *To:* Ben Wilson <[email protected]>; [email protected] > *Subject:* Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number > Entropy > > > > Hi all, > > Is the meaning of "at least 64 unpredictable bits" setting the same or a > higher requirement than "at least 20 bits of entropy" ? I'm not quite sure > whether our certificate generation software has this setting in itself. > > Cheers > Man > > On 3/1/2016 12:21 AM, Ben Wilson wrote: > > REPLACE > > "CAs SHOULD generate non-sequential Certificate serial numbers that > exhibit at least 20 bits of entropy" > > WITH > > "Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater > than zero (0) that contains at least 64 unpredictable bits." > > > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
