On 08/21/2017 09:36 AM, Salz, Rich wrote:
➢ Thus how large does this random number have It’s also to protect against predicting serial numbers and being able to leverage that. It’s not just (nor really mainly) the MD5 digest attacks. According to CABForum, you need 8 octets. No reason not to use more if you can.
Sure there is. On constrained systems with constrained communication links. Every byte counts. My real thrust on this is for IoT. To get IoT developers to build around certs and know their products work with them instead of, well we will get to it eventually.
When I work with 802.15.4 communications with a 128 byte MTU, there is considerable debate over every byte sent. When you tell an IoT chip maker that they have to go from 32KB memory to 100MB, they walk out of the room.
Oh, I want DOTS and I2NSF developers to be working with certs from the get go, instead waiting for deployments and getting 'production' certs and THEN discovering what works and what does not. But IoT is in many ways more of a challenge.
So yes, size matters.
➢ page was talking about in conjunction with the -CA option. With 'openssl ca' use of the serial file is mandatory according to the man page. There are no command line options for it. Fixed in master and will be part of the next releases; the –rand_serial flag.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users