Before I respond below let me add a little background. My perspective
is from the embedded software realm where resources and capabilities and
options are limited compared to a "more ideal" environment, such as the
desktop computer where I'm using Firefox and Thunderbird! That said I
think that ideas and solutions which would help the embedded space will
also help the broader Mozilla space--to say nothing of the Boot-to-Gecko
efforts.
So, with that said....
>> The serial number is the best place to put the random data.
Agreed.
>> But you can also place it in the subject name, if you can make sure
>> it appears in the first block (in the sense of hash block size, which
>> is 512 bytes for MD5 and SHA1). If you can't ensure this, then you
>> can get screwed.
For what it's worth I would say the validity dates are fair game, too.
They might not be great options and there are good reasons to choose
the serial number field over the dates, but as far as I'm concerned they
can be "repurposed" as they say. (Surely, most people on this list
would agree defining a validity period down to a precise second is
overkill, no? How about hour? Day?)
> Yes, but can we fiddle with the subject name without impacting policy?
I would strongly discourage that practice! Technically speaking it is
possible, yes, but I think it must be considered only as a last resort.
While in theory a software implementation is not supposed to impose
limits on something like this, the unfortunate reality is that many
embedded systems do have a maximum length they can realistically
support. I'd hate to see that space used up by something like random
data when other options are available.
>>>> 2) When I receive a cert that doesn't match, I would like to check the
>>>> serial number to see if it's "newer" than the one I have. In such
>>>> cases, I
>>>> know I need to do a full evaluation of the cert, it's contents, and
>>>> the
>>>> authority chain. I'm concerned in this case that the cert I was
>>>> using may
>>>> have been revoked. I'm concerned that the newer cert may or may
>>>> not be a
>>>> fraud. For that matter, I'm concerned that the cert I was using was
>>>> fraudulent. But if everything checks out, I want to add the new
>>>> cert to my
>>>> local cache but also keep the old one around so I know whether to
>>>> trust it
>>>> the next time I encounter it.
>>> Yes, this is to assume that "serial" means serial, and/or that higher
>>> numbers means "newer". This meaning or implication has been explicitly
>>> withdrawn, enough already such that you can no longer rely upon it (CAs
>>> have been doing this for some time...)
>> It's also overloading what the serial number is.
>>
>> For a manufactured product, as a customer, I can't assume that the
>> serial number has any meaning. For some manufacturers it can have a
>> structure (year, week, production unit, ...), for some others it may
>> be a simple monotonic counter. Still as a customer, I don't need to
>> know what this serial number means, I only need to know that this
>> particular serial number is attached to this particular item. As the
>> manufacturer, I of course need to map a serial number to a production
>> center, maybe a design base, a model number, a date, a production
>> line, etc, anything that could be useful to track down this item's
>> construction.
>>
>> That's the same in X.509. The serial number only needs to have a
>> meaning for the certificate producer, not for the relying party.
I think we might be in agreement here...but I can't tell for sure. If
we were to change the name, hypothetically speaking, from "serial
number" to "production code" in the X.509 cert, I could accept
that...provided we come to an agreement on the coding format.
The slight issue I have with what you say is that I see 2 different
consumers of certificates. Obviously, one is the end-user who, by and
large, will have no interest in making any sense of the serial
number/production code. Just because my car has a VIN number doesn't
mean I really care about it.
The other user is the security software that receives and interprets the
cert. In some cases the software could choose to make sense of such a
code. To use the VIN example, my insurance company is interested in
understanding the VIN code so that they can set my rates higher if I
have a 6-cylinder engine vs a 4-cylinder. And they could tell if I lied
about the make and model....
So, I think it's okay to at least define a code/format even though it
will be meaningless junk to most people. I don't think it would be a
controversial idea to the CAs since I've seen many certs out there
already that appear to combine sequencing and entropy.
>>>> 3) When the cert doesn't match, I also would like to check the serial
>>>> number to see if it's an *older* version of a certificate. Perhaps
>>>> I've
>>>> seen it before, which means there's a chance I could re-use the trust
>>>> decisions I made at the time. I'm also concerned that the older
>>>> cert may
>>>> have been revoked but the server admin hasn't updated the site
>>>> yet. And,
>>>> just like the "new cert" case, perhaps the cert I was using is in fact
>>>> fraudulent--I'd like to check that too. Bottom line is that there's a
>>>> chance for optimization if the old cert is in my local cache--and
>>>> if it
>>>> isn't I want to add it for the next time I encounter it.
>>> There is such a thing as over-optimisation :) Perhaps you should just
>>> take the hit. When someone starts dealing with a different cert,
>>> perhaps this is a good time to re-check everything about that customer,
>>> not try and squeeze the last few cycles out.
>> That would be a good decision.
In a Mozilla-style product I agree. In the embedded world, doing all
the checks is not going to be realistic in all cases for a variety of
reasons. And that's why I would like to do "some" checks instead of,
literally, none.
>> In fact, even for Mr Kurrasch, the serial number doesn't need to be
>> sequential. If it's different, his system checks if it already has
>> seen it before. How is it checked? I'm guessing the serial number is
>> stored in its "trust database". So the serial number here is used as
>> a unique identifier. That's precisely what it is. A unique identifier
>> among the CA. Nothing more.
> Exactly right. Once that confusion is cleared up, it is clear.
> Anyone care to ask PKIX to fix it?
Silly IanG...that's why we have a CABForum! :-)
> (Actually, as a developer one would go further and not trust the
> uniqueness claimed by the serial. We are talking about security code
> here... so certificates should be treated as suspect when anything
> changes - re-evaluate. Which in engineering terms would suggest that
> the cert be indexed using a hash ;-)
Actually, the serial number alone does not establish uniqueness even for
2 certs with the same subject/issuer pair! I don't have an exact
example in front of me now, but I'm pretty sure the MD2-signed and the
SHA1-signed certs for Verisign's PPCA3(?) from 1996(?) have the same
serial number (probably just a "1"). I know there are other examples, too.