Symantec certs with very small serial numbers

RESOLVED WONTFIX

Status

NSS
CA Certificate Root Program
RESOLVED WONTFIX
2 years ago
10 months ago

People

(Reporter: Kathleen Wilson, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: BR Compliance)

(Assignee)

Description

2 years ago
Symantec updated their final report[1] to include lists of the certificates that were mis-issued in their test environment. [2],[3]

Some of the serial numbers in these lists are very short, so they are probably not following the Baseline Requirements:
"CAs SHOULD generate non‐sequential Certificate serial numbers that exhibit at least 20 bits of entropy."

For example, look at page 489 of the TestCertificateIncidentReportUnregistered.pdf report.
Serial Number 75, Issue Date 8/03/2015
Serial Number 8a, Issue Date 8/03/2015

Symantec, please update your software (for all of your brands) to prevent such non-BR compliant certs from being issued.


[1] https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_12_2015.pdf
[2] https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf
[3] https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportUnregistered.pdf

Comment 1

2 years ago
Kathleen, nearly all certificates we issue contain non-sequential Certificate serial numbers that exhibit at least 20 bits of entropy. A small number are issued from a legacy platform that can only generate sequential serial numbers. For those certificates, we add at least 20 bits of entropy to the validity end date. And as you noted, this is a SHOULD not a MUST, so we feel that these are BR-compliant.
(Assignee)

Comment 2

2 years ago
Closing as wontfix per Comment #1.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX

Updated

10 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.