Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Mozilla Wants 64 Bits of Entropy in Certificate Serial Numbers

Mozilla this week announced an update to its CA Certificate Policy, which now requires the use of 64 bits of entropy in certificate serial numbers.

Mozilla this week announced an update to its CA Certificate Policy, which now requires the use of 64 bits of entropy in certificate serial numbers.

The change was included in Mozilla’s CA Certificate Policy 2.4.1, and arrives nearly one year after the CA/Browser Forum adopted Ballot 164, which required Certificate Authorities to use greater randomization when issuing certificates, to mitigate collision attacks and make preimage attacks more difficult.

The ballot also proposed replacing entropy with cryptographically secure pseudo-random number generator (CSPRNG). Thus, Section 7.1 of the Baseline Requirements was modified to “Effective September 30, 2016, CAs SHALL generate Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.”

The change was proposed after it was demonstrated that hash collisions can allow attackers to forge a signature on the certificate of their choosing and that random bits made the security level of a hash function twice as powerful. While adding random bits was encouraged before, the ballot made it a requirement.

The updated CA Certificate Policy also states that CP and CPS documents now need to be submitted to Mozilla each year, in addition to audit statements, and that these documents need to be provided in English starting June 1, 2017. The company also updated the applicable versions of some audit criteria.

Mozilla also notes that submitted documentation must be openly licensed and that the Common CCADB Policy and the Mozilla CCADB Policy are incorporated by reference in Mozilla’s CA Certificate Policy version. Further, the new Common CA Database (CCADB) Policy makes official a number of existing expectations regarding the CCADB, and there are additional requirements on OCSP responses, the company says.

The organization has already sent the CA Communication to the Primary Point of Contact (POC) for each CA and asked them to respond to 14 action items. Additionally, there are discussions in the mozilla.dev.security.policy forum about upcoming changes, questions and clarification about policy and expectations, root certificate inclusion/change requests, that CAs are invited to contribute to.

“With this CA Communication, we re-iterate that participation in Mozilla’s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve,” the company said.

Advertisement. Scroll to continue reading.

Related: Mozilla Updates CA Certificate Policy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.