[16299] in cryptography@c2.net mail archive
Re: Certificate serial number generation algorithms
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Mon Oct 11 17:54:39 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, ekr@rtfm.com
In-Reply-To: <20041011013122.73C4B7185@sierra.rtfm.com>
Date: Tue, 12 Oct 2004 05:34:38 +1300
Eric Rescorla <ekr@rtfm.com> writes:
>In particular, Verisign's is very long and I seem to remember someone telling
>me it was a hach but I don't recall the details...
It's just a SHA-1 hash. Many CAs use this to make traffic analysis of how
many (or few) certificates they're issuing impossible. An additional
motivation for use by Verisign was to avoid certs with low serial numbers
having special significance. While there are a few CA's that follow the
monotonically-increasing-integers scheme that certs were originally intended
to have (and all manner of other weirdness, 32-bit integer IDs of unknown
origin seem to be popular in the "other" category), most seem to use a binary
blob of varying length.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
