>Our goal is to reissue all the certificates within the next 30 days.
Before everyone goes into an orgy of mass revocation, see the message I just
posted "Why BR 7.1 allows any serial number except 0". As long as your serial
number isn't zero, there's no such thing as a non-compliant serial number, so
no need to revoke and replace great masses of certificates.
Peter.
>If any other CA wants to check theirs before someone else does, then now is
>surely the time to speak up.
I'd already asked previously whether any CA wanted to indicate publicly that
they were compliant with BR 7.1, which zero CAs responded to (I counted them
twice). This means either there are very few CAs bothering with dev-security-
policy, or they're all hunkering down and hoping it'll blow over, which given
that they're going to be forced to potentially carry out mass revocations
would be the game-theoretically sensible approach to take:
Option 1: Keep quiet case 1 (very likely): -> No-one notices, nothing happens.
Keep quite case 2 (less likely): -> Someone notices, revocation issues.
Option 2: Say something -> Revocation issues.
So keeping your head down would be the sensible/best policy.
Peter.
>Again, maths were wrong here, sorry. Correct calculation is:
>
>log2(18446744073708551615) = 63.99999999999993
I love the way that people are calculating data on an arbitrarily-chosen value
pulled entirely out of thin air to 14 decimal places. It's like summing a
diverging series. Or calculating how many angels can fit on the head of a
pin. Or something.
Peter.
>>>Again, maths were wrong here, sorry. Correct calculation is:
>>>
>>>log2(18446744073708551615) = 63.99999999999993
>>
>>I love the way that people are calculating data on an arbitrarily-chosen value
>>pulled entirely out of thin air
>
>Can you confirm if the motivation for the "64 bits of output from a CSPRNG"
>can be found in [1]?.
I actually thought it was from "Chosen-prefix collisions for MD5 and
applications" or its companion papers ("Short chosen-prefix collisions for MD5
and the creation of a rogue CA certificate", "Chosen-Prefix Collisions for MD5
and Colliding X.509 Certificates for Different Identities"), but it's not in
any of those. Even the CCC talk slides only say "We need defense in depth ->
random serial numbers" without giving a bit count. So none of the original
cryptographic analysis papers seem to give any value at all. It really does
seem to be a value pulled entirely out of thin air.
Peter.