[conspire] Cert debacle involving a billion certs

paulz at ieee.org paulz at ieee.org
Mon Mar 18 13:48:41 PDT 2019


 How many bits make something "secure"?   64 bits was deemed to be "enough" in 2016, but that was 3 years ago.  When does the 64 bit requirement need to  be increased?

It's hard to get excited about 63 vs 64 bits except as an embarrassment to big companies that should have done better.

    On Monday, March 18, 2019, 12:33:29 PM PDT, Deirdre Saoirse Moen <deirdre at deirdre.net> wrote:  
 
 https://arstechnica.com/information-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued-certificates/

"The snafu is the result of the companies' misconfiguration of the open source EJBCA software package that many browser-trusted authorities use to generate certificates that secure websites, encrypt email, and digitally sign code. By default, EJBCA generated certificates with 64-bit serial numbers, in keeping, it seemed, with an industry mandate that serial numbers contain 64 bits of output from a secure pseudo-random number generator. Upon further scrutiny, engineers discovered that one of the 64 bits must be a fixed value to ensure the serial number is a positive integer. As a result, the EJBCA default produced a serial number with 63 bits of entropy.”

Deirdre’s note: unsigned ints are a thing y’all.

Deirdre



_______________________________________________
conspire mailing list
conspire at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/conspire
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20190318/3df93d44/attachment.html>


More information about the conspire mailing list