>This raises 3 derived concerns:
And a fourth, which has been overlooked during all the bikeshedding...
actually I'll call it question 0, since that's what it should have been:
0. Given that the value of 64 bits was pulled out of thin air (or possibly
less well-lit regions), does it really matter whether it's 63 bits, 64
bits, 65 3/8th bits, or e^i*pi bits?
Peter.
>Can the CA's agent just request the cert, review the to-be-signed certificate
>data, and reject and retry until they land on a prime? Then issue that
>certificate?
>
>Does current policy address that? Should it?
Yeah, you can get arbitrarily silly with this. For example my code has always
used 8-byte serial numbers (based on the German Tank Problem, nothing to do
with the BR), it requests 9 bytes of entropy and, if the first byte of the 8
that gets used is zero uses the surplus byte, and if that's still zero sets it
to 1 (again nothing to do with the BR, purely as an ASN.1 encoding thing so
you always get a fixed-length value). So there's a bias of 1/64K values. Is
that small enough? What if I make it 32 bits, so it's 1/4G values? What
about 48 bits? What if I use a variant of what you're suggesting, a >64-bit
structured value that contains 64 bits of entropy (so perhaps something using
parity bits or similar), is that valid?
As I said above, you can get arbitrarily silly with this. I'm sure if we
looked at other CA's code at the insane level of nitpickyness that
DarkMatter's use of EJBCA has been examined, we'd find reasons why their
implementations are non-compliant as well.
Peter.
As I said above, you can get arbitrarily silly with this. I'm sure if we
looked at other CA's code at the insane level of nitpickyness that
DarkMatter's use of EJBCA has been examined, we'd find reasons why their
implementations are non-compliant as well.
Seconds after sending it, this arrived:
As of 9pm AZ on 3/6/2019 GoDaddy started researching the 64bit certificate
Serial Number issue. We have identified a significant quantity of
certificates (> 1.8million) not meeting the 64bit serial number requirement.
I rest my case.
Oh, and the BR's need an update so that half the CAs on the planet aren't
suddenly non-BR compliant based on the DarkMatter-specific interpretation.
Peter.
>As if on queue, comes now GoDaddy with its confession.
I swear I didn't plan that in advance :-).
Peter.
>If you generate a 64-bit random value, then discard some values based on any
>sort of quality test, the end result is a 64-bit value with less-than-64-bits
>of randomness.
That's not what 7.1 says, merely:
CAs SHALL generate non-sequential Certificate serial numbers greater than
zero (0) containing at least 64 bits of output from a CSPRNG
There's nothing there about whether you can, for example, discard values that
you don't like and generate another one (in fact it specifically requires that
you reject the value 0 and generate another one). In particular, for your
objection, how is one totally random value different from another?
Specifically, if I discard a totally random value that has the high bit set
(because of ASN.1 encoding issues) and take the next value generated, how is
that (a) not compliant with 7.1 and (b) different from another totally random
value that happens to not have the high bit set in the first place?
What if I call every cert that would end up with the sign bit set a test cert
and only issue the ones where they're not set? Again, fully compliant with
the wording of 7.1, but presumably not compliant with your particular
interpretation of the wording (OK, it might be, I'm sure you'll let me know if
it is or isn't). That's the problem with rules-lawyering, if you're going to
insist on your own very specific interpretation of a loosely-worded
requirement then it's open season for anyone else to find dozens of other
fully compatible but very different interpretations.
And, again, question zero: Given that the value of 64 bits was pulled out of
thin air, why does it even matter?
Can we just agree that the bikeshed can be any colour people want as long as
you're not using lead-based paint and move on from this bottomless pit?
Peter.
CAs SHALL generate non-sequential Certificate serial numbers greater than
zero (0) containing at least 64 bits of output from a CSPRNG
Note the comment I made yesterday:
That's the problem with rules-lawyering, if you're going to insist on your
own very specific interpretation of a loosely-worded requirement then it's
open season for anyone else to find dozens of other fully compatible but
very different interpretations.
So lets look at the most pathologically silly but still fully compliant with
BR 7.1 serial number you can come up with. Most importantly, 7.1 it never
says what form those bits should be in, merely that it needs to contain "at
least 64 bits of output from a CSPRNG". In particular, it doesn't specify
which order those bits should be in, or which bits should be used, as long as
there's at least 64.
So the immediate application of this observation is to make any 64-bit value
comply with the ASN.1 encoding rules: If the first bit is 1 (so the sign bit
is set), swap it with any convenient zero bit elsewhere in the value.
Similarly, if the first 9 bits are zero, swap one of them with a one bit from
somewhere else. Fully compliant with BR 7.1, and now also fully compliant
with ASN.1 DER.
Let's take it further. Note that there's no requirement for the order to be
preserved. So let's define the serial number as:
serialNumber = sortbits( CSPRNG64() );
On average you're going to get a 50:50 mix of ones and zeroes, so your serial
numbers are all going to be:
0x00000000FFFFFFFF
plus/minus a few bits around the middle. When encoded, this will actually be
0x00FFFFFFFF, with the remaining zero bits implicit - feel free to debate
whether the presence of implict zero bits is compliant with BR 7.1 or not.
Anyway, continuing, you can also choose to alternate the bits so you still get
a fixed-length value:
0x5555555555555555
(plus/minus a bit or two at the LSB, as before).
Or you could sort the bits into patterns, for example to display as rude
messages in ASCII:
"BR7SILLY"
Or, given that you've got eight virtual pixels to play with, create ASCII art
in a series of certificates, e.g. encode one line of an emoji in each serial
number.
Getting back to the claim that "BR 7.1 allows any serial number except 0",
here's how you get this:
At one end of the range, your bit-selection rule is "discard every one bit
except the 64th one", so your serial number is:
0x0000000000000001
or, when DER encoded:
0x01
At the other end of the scale, "discard every zero bit except the first one":
0x7FFFFFFFFFFFFFFF
or INT_MAX.
All fully compliant with the requirement that:
CAs SHALL generate non-sequential Certificate serial numbers greater than
zero (0) containing at least 64 bits of output from a CSPRNG
I should note in passing that this also allows all the certificates you issue
to have the same serial number, 1, since they're non-sequential and greater
than zero.
Peter.
>So the immediate application of this observation is to make any 64-bit value
>comply with the ASN.1 encoding rules: If the first bit is 1 (so the sign bit
>is set), swap it with any convenient zero bit elsewhere in the value.
>Similarly, if the first 9 bits are zero, swap one of them with a one bit from
>somewhere else. Fully compliant with BR 7.1, and now also fully compliant
>with ASN.1 DER.
Oops, need to clarify that: Note the specific use of "swap one of them". You
can't just drop in a zero bit you made up yourself, you have to use one of the
original zero bits that came from the CSPRNG or you won't be compliant with BR
7.1 any more. So you need to swap in a genuine zero bit from elsewhere in the
value, not just replace it with your own made-up zero bit.
Peter.
>I'm not sure this will be a very productive or valuable line of discussion.
What I'm pointing out is that beating up CAs over an interpretation of the
requirements that didn't exist until about a week ago when it was pointed out
in relation to DarkMatter is unfair on the CAs. If you're going to impose a
specific interpretation on them then get it added to the BRs at a future date
and enforce it then, don't retroactively punish CAs for something that didn't
exist until a week or two ago.
>Of course, there are quite glaring flaws in the argument, particularly that
>"all" of these are compliant. None of them are compliant under any reasonable
>reading.
Again, it's your definition of "reasonable". A number of CAs, who applied
their own reasonable reading of the same requirements, seem to think
otherwise. They're now being punished for the fact that their reasonable
reading differs from Mozilla's reasonable reading.
>I would strongly caution CAs against adopting any of these interpretations,
>and suggest it would be best for CAs to wholly ignore the message referenced.
"Pay no attention to the message behind the curtain".
Peter.
>If we have to count every CA that had this interpretation, then I suppose all
>CAs that were using EJBCA with the default configuration have the same
>interpretation.
There's also an unknown number of CAs not using EJBCA that may have even
further interpretations. For example my code, which I'll point out in advance
has nothing to do with the BR and predates the existence of the CAB Forum
itself, may or may not be compliant with whatever Mozilla's interpretation of
7.1 is. I literally have no idea whether it meets Mozilla's expectations. It
doesn't do what EJBCA does, so at least it's OK there, but beyond that I have
no idea whether it does what Mozilla wants or not.
I assume any number of other CAs are in the same position, and given that if
they guessed wrong they have to revoke an arbitrarily large number of certs,
it's in their best interests to keep their heads down and wait for this to
blow over.
So perhaps instead of trying to find out which of the hundreds of CAs in the
program aren't compliant, we can check which ones are. Would any CA that
thinks it's compliant let us know, and indicate why they think they're
compliant? For example "we take 64 bits of CSPRNG output, pad it with a
leading <whatever>, and use that as the serial number", in other words what
Matthew Hardeman suggested, would seem to be OK.
Peter.