info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Policy 2.4 Proposal: Update entropy requirements for EE certificates
77 views
Skip to first unread message
Gervase Markham
Dec 16, 2016, 10:18:41 AM12/16/16
to mozilla-dev-s...@lists.mozilla.org
Currently, the policy says:
"all new end-entity certificates must contain at least 20 bits of
unpredictable random data (preferably in the serial number)."
We should require the random data to be in the serial number, and also
update the number of bits required.
BRs 1.3.7 and later say:
"Effective September 30, 2016, CAs SHALL generate non‐sequential
Certificate serial numbers greater than zero (0) containing at least 64
bits of output from a CSPRNG."
Nevertheless, we should update our policy to also use this text, because
our policy also covers email certificates. We discussed this at the All
Hands recently and we did not think that there were any compelling
reasons to provide exemptions to this requirement for particular classes
of certificate (intermediate, CA-generated, particular crypto
algorithms, etc.) We feel it is simplest and safest to require it
everywhere.
This is: https://github.com/mozilla/pkipolicy/issues/13
-------
This is a proposed update to Mozilla's root store policy for version
2.4. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.3 (current version):
https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
"all new end-entity certificates must contain at least 20 bits of
unpredictable random data (preferably in the serial number)."
We should require the random data to be in the serial number, and also
update the number of bits required.
BRs 1.3.7 and later say:
"Effective September 30, 2016, CAs SHALL generate non‐sequential
Certificate serial numbers greater than zero (0) containing at least 64
bits of output from a CSPRNG."
Nevertheless, we should update our policy to also use this text, because
our policy also covers email certificates. We discussed this at the All
Hands recently and we did not think that there were any compelling
reasons to provide exemptions to this requirement for particular classes
of certificate (intermediate, CA-generated, particular crypto
algorithms, etc.) We feel it is simplest and safest to require it
everywhere.
This is: https://github.com/mozilla/pkipolicy/issues/13
-------
This is a proposed update to Mozilla's root store policy for version
2.4. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.3 (current version):
https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
Gervase Markham
Jan 12, 2017, 11:26:04 AM1/12/17
to mozilla-dev-s...@lists.mozilla.org
On 16/12/16 15:18, Gervase Markham wrote:
> Nevertheless, we should update our policy to also use this text, because
> our policy also covers email certificates. We discussed this at the All
> Hands recently and we did not think that there were any compelling
> reasons to provide exemptions to this requirement for particular classes
> of certificate (intermediate, CA-generated, particular crypto
> algorithms, etc.) We feel it is simplest and safest to require it
> everywhere.
Resolved using the following text:
> Nevertheless, we should update our policy to also use this text, because
> our policy also covers email certificates. We discussed this at the All
> Hands recently and we did not think that there were any compelling
> reasons to provide exemptions to this requirement for particular classes
> of certificate (intermediate, CA-generated, particular crypto
> algorithms, etc.) We feel it is simplest and safest to require it
> everywhere.
- all new certificates must have a serial number greater than zero
(0) containing at least 64 bits of output from a CSPRNG.
Gerv
0 new messages