TLS: 64bit-ish Serial Numbers & Mass Revocation
https://adamcaudill.com/2019/03/09/tls-64bit-ish-serial-numbers-mass-revocation/ [adamcaudill.com]
2019-03-12 02:33
During a recent discussion about the DarkMatter CA on a Mozilla mailing list, it was found that their 64-bit serial numbers weren’t actually 64 bits, and it opened a can of worms. It turns out that the serial number was effectively 63 bits, which is a violation of the CA/B Forum Baseline Requirements that state it must contain 64 bits of output from a secure random number generator (CSPRNG). As a result of this finding, 2,000,000 certificates or more may need to be replaced by Google, Apple, GoDaddy and others.
source: L