1214353 - Symantec certs with very small serial numbers

Status: RESOLVED WONTFIX

(CA Program :: CA Certificate Root Program, task)

Description

[Kathleen Wilson]

Symantec updated their final report[1] to include lists of the certificates that were mis-issued in their test environment. [2],[3]

Some of the serial numbers in these lists are very short, so they are probably not following the Baseline Requirements:
"CAs SHOULD generate non‐sequential Certificate serial numbers that exhibit at least 20 bits of entropy."

For example, look at page 489 of the TestCertificateIncidentReportUnregistered.pdf report.
Serial Number 75, Issue Date 8/03/2015
Serial Number 8a, Issue Date 8/03/2015

Symantec, please update your software (for all of your brands) to prevent such non-BR compliant certs from being issued.


[1] https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_12_2015.pdf
[2] https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf
[3] https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportUnregistered.pdf

Comment 1

[Rick Andrews]

Kathleen, nearly all certificates we issue contain non-sequential Certificate serial numbers that exhibit at least 20 bits of entropy. A small number are issued from a legacy platform that can only generate sequential serial numbers. For those certificates, we add at least 20 bits of entropy to the validity end date. And as you noted, this is a SHOULD not a MUST, so we feel that these are BR-compliant.

Comment 2

[Kathleen Wilson]

Closing as wontfix per Comment #1.