Certificate serial number generation algorithms
Does anyone know the details of the certificate generation algorithms used by various CAs? In particular, Verisign's is very long and I seem to remember someone telling me it was a hach but I don't recall the details... Thanks, -Ekr - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Certificate serial number generation algorithms
Eric Rescorla [EMAIL PROTECTED] writes: In particular, Verisign's is very long and I seem to remember someone telling me it was a hach but I don't recall the details... It's just a SHA-1 hash. Many CAs use this to make traffic analysis of how many (or few) certificates they're issuing impossible. An additional motivation for use by Verisign was to avoid certs with low serial numbers having special significance. While there are a few CA's that follow the monotonically-increasing-integers scheme that certs were originally intended to have (and all manner of other weirdness, 32-bit integer IDs of unknown origin seem to be popular in the other category), most seem to use a binary blob of varying length. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Certificate serial number generation algorithms
In message [EMAIL PROTECTED] on Sun, 10 Oct 2004 18:16:21 -0700, Eric Rescorla [EMAIL PROTECTED] said: ekr Does anyone know the details of the certificate generation ekr algorithms used by various CAs? Variants I've heard of are: - A simple counter starting at 0 (well, actually, I know this one, as that's what OpenSSL does :-)) - A simple counter starting with a random value (OpenSSL has an option for this). - A time-based value (I don't recall who did that) - A hash of some sort (I believe Verisign does that, among others) - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ - A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]