[Puppet - Feature #6725] Serial # for x509 certificates

[tickets]

Issue #6725 has been updated by Daniel Pittman.


    4.1.2.2.  Serial Number
    
       The serial number MUST be a positive integer assigned by the CA to
       each certificate.  It MUST be unique for each certificate issued by a
       given CA (i.e., the issuer name and serial number identify a unique
       certificate).  CAs MUST force the serialNumber to be a non-negative
       integer.

We can't use an unmodified UUID, but we can use the bignum representation of 
one.  A generally satisfactory version would be a UUID v5 based on the CN 
and/or ancillary data present in the certificate, which ensures we are as 
unique as SHA-1 over a controlled set of inputs is, without coordination.  
Otherwise, a v2 or v4 with a decent PRNG would probably work, but would need 
checking to ensure they don't have risk of collision when one of the randomness 
inputs fails...
----------------------------------------
Feature #6725: Serial # for x509 certificates
https://projects.puppetlabs.com/issues/6725

Author: Ken Barber
Status: Accepted
Priority: Normal
Assignee: 
Category: ssh
Target version: 
Affected Puppet version: 2.6.6
Keywords: 
Branch: 


So the way we sequentially assign serial numbers for certificates is not 
optimal and forces us to do weird things like locking files to ensure we avoid 
duplication. The reality is a serial number in an x509 certificate does not 
need to be sequential, it just needs to be random:

http://tools.ietf.org/html/rfc5280#page-19

Now I believe the RFC wording can support a serial number up to 20 octets wide. 
If this is the case we can probably just use uuids (which are 16 octets wide?) 
... which would reduce the amount of collision possibilities.

There are a few reasons that this is beneficial:

* to allow us to potentially remove the locking of our serial file. I found in 
the past this locking reduces scalability in cases of en-masse auto-signing. 
* Also - in auto-sign situations - this removes the need to have a single CA 
for sequential serial allocation ... if the serials are uuids they have a low 
chance of collision more or less. In the future if we move cert storage to a 
central place we can avoid having to lock for the next number as well.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.