[Top] [All Lists]

Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate

2008-12-30 17:27:50

At Tue, 30 Dec 2008 16:05:56 -0600,
Timothy J. Miller wrote:

[1  <text/plain; ISO-8859-1 (7bit)>]
Eric Rescorla wrote:
At Tue, 30 Dec 2008 12:53:06 -0800,
Paul Hoffman wrote:

Your recollection may be off. I believe I was the person who brought
up the serial number hack at the mic, and I'm pretty sure I said
"some", not "many" (and certainly not "most"!). When I looked at a
handful of popular CAs earlier this week, I only found a few who are
using randomization in their serial numbers.

I don't know whether many or most do it. IMO everyone should.

Randomizing serial numbers has implications for OCSP operations, 
particularly those that use presigned responses in order to optimize 

Why presign?  Because for a large network with varying levels of 
support, it may be easier to move around sets of pre-produced responses 
to distributed keyless OCSP responders than to guarantee connectivity to 
a keyed OCSP service.

Why presign batches rather than individual responses?  Because for a 
large PKI the response pre-production time can exceed the CRL update 

I'm not sure I understand the issue here, but 
they don't actually have to be totally randomized. You could use a
PRF so they were predictable to the CA.


<Prev in Thread] Current Thread [Next in Thread>