Symantec updated their final report to include lists of the certificates that were mis-issued in their test environment. , Some of the serial numbers in these lists are very short, so they are probably not following the Baseline Requirements: "CAs SHOULD generate non‐sequential Certificate serial numbers that exhibit at least 20 bits of entropy." For example, look at page 489 of the TestCertificateIncidentReportUnregistered.pdf report. Serial Number 75, Issue Date 8/03/2015 Serial Number 8a, Issue Date 8/03/2015 Symantec, please update your software (for all of your brands) to prevent such non-BR compliant certs from being issued.  https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_12_2015.pdf  https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf  https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportUnregistered.pdf
Kathleen, nearly all certificates we issue contain non-sequential Certificate serial numbers that exhibit at least 20 bits of entropy. A small number are issued from a legacy platform that can only generate sequential serial numbers. For those certificates, we add at least 20 bits of entropy to the validity end date. And as you noted, this is a SHOULD not a MUST, so we feel that these are BR-compliant.
Closing as wontfix per Comment #1.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.