Closed
Bug 1214353
Opened 9 years ago
Closed 8 years ago
Symantec certs with very small serial numbers
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: BR Compliance)
Symantec updated their final report[1] to include lists of the certificates that were mis-issued in their test environment. [2],[3] Some of the serial numbers in these lists are very short, so they are probably not following the Baseline Requirements: "CAs SHOULD generate non‐sequential Certificate serial numbers that exhibit at least 20 bits of entropy." For example, look at page 489 of the TestCertificateIncidentReportUnregistered.pdf report. Serial Number 75, Issue Date 8/03/2015 Serial Number 8a, Issue Date 8/03/2015 Symantec, please update your software (for all of your brands) to prevent such non-BR compliant certs from being issued. [1] https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_12_2015.pdf [2] https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf [3] https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportUnregistered.pdf
Comment 1•9 years ago
|
||
Kathleen, nearly all certificates we issue contain non-sequential Certificate serial numbers that exhibit at least 20 bits of entropy. A small number are issued from a legacy platform that can only generate sequential serial numbers. For those certificates, we add at least 20 bits of entropy to the validity end date. And as you noted, this is a SHOULD not a MUST, so we feel that these are BR-compliant.
Assignee | ||
Comment 2•8 years ago
|
||
Closing as wontfix per Comment #1.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•