[openssl-users] Using set_serial to control serial number size directly
rgm at htt-consult.com
Mon Aug 21 13:44:36 UTC 2017
On 08/21/2017 09:36 AM, Salz, Rich wrote:
> ➢ Thus how large does this random number have
> It’s also to protect against predicting serial numbers and being able to leverage that. It’s not just (nor really mainly) the MD5 digest attacks. According to CABForum, you need 8 octets. No reason not to use more if you can.
Sure there is. On constrained systems with constrained communication
links. Every byte counts. My real thrust on this is for IoT. To get
IoT developers to build around certs and know their products work with
them instead of, well we will get to it eventually.
When I work with 802.15.4 communications with a 128 byte MTU, there is
considerable debate over every byte sent. When you tell an IoT chip
maker that they have to go from 32KB memory to 100MB, they walk out of
Oh, I want DOTS and I2NSF developers to be working with certs from the
get go, instead waiting for deployments and getting 'production' certs
and THEN discovering what works and what does not. But IoT is in many
ways more of a challenge.
So yes, size matters.
> ➢ page was talking about in conjunction with the -CA option. With 'openssl
> ca' use of the serial file is mandatory according to the man page.
> There are no command line options for it.
> Fixed in master and will be part of the next releases; the –rand_serial flag.
More information about the openssl-users