[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

Ryan Sleevi sleevi at google.com
Thu Apr 14 20:03:19 UTC 2016 

Ben:

Are you sure your math is correct? A serial number is 20 bytes, with the
high bit needing to be 1 (for the encoding of positive INTEGERS within
DER). This leaves 159 bits for entropy. So you certainly can't have more
unpredictable bits than that :)

On Thu, Apr 14, 2016 at 12:59 PM, Ben Wilson <ben.wilson at digicert.com>
wrote:

> Man,
>
> Have you had a chance to do  further research on the capabilities of your
> system?   Our CA issues certificates with 32 hexadecimal characters for the
> serial number.  There are 4 bits of entropy for each hexadecimal
> character.  Therefore, our serial numbers have 128 bits of entropy and
> 16*32= 512 unpredictable bits.  An 8-hexadecimal character serial number
> would have 32 bits of entropy and 128 unpredictable bits.  A 20-bit entropy
> would be equal to 5 hexadecimal characters, or 80 unpredictable bits, so
> this seems like this is a downgrade to go to 64 unpredictable bits.  Am I
> right?
>
> Ben
>
>
>
> *From:* Man Ho (Certizen) [mailto:manho at certizen.com]
> *Sent:* Wednesday, March 23, 2016 12:27 AM
> *To:* Ben Wilson <ben.wilson at digicert.com>; public at cabforum.org
> *Subject:* Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number
> Entropy
>
>
>
> Hi all,
>
> Is the meaning of "at least 64 unpredictable bits" setting the same or a
> higher requirement than "at least 20 bits of entropy" ? I'm not quite sure
> whether our certificate generation software has this setting in itself.
>
> Cheers
> Man
>
> On 3/1/2016 12:21 AM, Ben Wilson wrote:
>
> REPLACE
>
> "CAs SHOULD generate non-sequential Certificate serial numbers that
> exhibit at least 20 bits of entropy"
>
> WITH
>
> "Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater
> than zero (0) that contains at least 64 unpredictable bits."
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160414/29c8c833/attachment-0003.html>

More information about the Public mailing list