IETF Logo Mail Archive

[pkix] Questioning the benefit of random serials over sequential ones in x.509 certificates

"Piyush Jain" <piyush@ditenity.com> Fri, 14 December 2012 17:09 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09DC821F8956 for <pkix@ietfa.amsl.com>; Fri, 14 Dec 2012 09:09:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3LLSrGHDAC2D for <pkix@ietfa.amsl.com>; Fri, 14 Dec 2012 09:09:27 -0800 (PST)
Received: from mail-ia0-f172.google.com (mail-ia0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 55A2321F8925 for <pkix@ietf.org>; Fri, 14 Dec 2012 09:09:27 -0800 (PST)
Received: by mail-ia0-f172.google.com with SMTP id z13so3364592iaz.31 for <pkix@ietf.org>; Fri, 14 Dec 2012 09:09:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:x-mailer:thread-index:content-language :x-gm-message-state; bh=uJ+Szmd7JI+6jpIMYQexVTovnBRsiEU8FcklcQN3aCM=; b=J4pH6B5khlcJaySgeNwDB5+LBKAFosoMn5Wb1YUkINr9I61D7TubtOWwrT2eoDKs5G xoEpqJnf4ZIMlJVRoAjVXTQvWd8pPtYRdpEHelsON9ztHNBfLYB1RY0m4EoCNXl/Lmju 9v6x75Yo0qVa7lmATZVEFFZlSyhaNWZdOiyy8VDpeeCaopf53E85fwstEE0XYJHMGG9Y vR8SYHQEnJ8tfsczPY0ir5MlE65d/bTA7yeNNLJzZgddGhW/WKTkRPw3vmGag0Cgwl3b pxZAz3cg6/Ey3CjcpgZD1tAK+Fpo6iqQoBdWOLvny1iUf7YzKr/sZMK2x/O/iPJbwJZp 5STg==
Received: by 10.50.236.72 with SMTP id us8mr2263992igc.28.1355504966900; Fri, 14 Dec 2012 09:09:26 -0800 (PST)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id uj6sm4389685igb.4.2012.12.14.09.09.24 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 14 Dec 2012 09:09:25 -0800 (PST)
From: Piyush Jain <piyush@ditenity.com>
To: pkix@ietf.org
Date: Fri, 14 Dec 2012 09:09:21 -0800
Message-ID: <041f01cdda1d$c3a5eb70$4af1c250$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac3aHP2+k1UCZ+fYR0SXQqG7rwstYA==
Content-Language: en-us
X-Gm-Message-State: ALoCoQlPgY5+rCV53kw0cPZOpP+5+Pz+SuNjGDXnf9/gMl/W8ZcK9JIlSw5y/Aq0EHRksmeJBoN6
Subject: [pkix] Questioning the benefit of random serials over sequential ones in x.509 certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2012 17:09:28 -0000

Hi All,

It seems that the current best practice is to use non-sequential serial
numbers when issuing x.509 certificates.

I understand that it had some value when weak hashing algorithms were being
used to create the signature.  
But if you are using a strong hashing algorithm, what is the benefit of
issuing certificates with random serial values?

Thanks a lot in advance for any insights.

-Piyush

v2.23.0 | Report a Bug | By Email