Re: [pkix] Why is the crlNumber an OCTET STRING?

Peter Gutmann <> Wed, 21 April 2021 02:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 219263A0FDF for <>; Tue, 20 Apr 2021 19:50:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kHndvc_1S5sr for <>; Tue, 20 Apr 2021 19:50:44 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7D8D33A0FDE for <>; Tue, 20 Apr 2021 19:50:42 -0700 (PDT)
Received: from ( []) (Using TLS) by with ESMTP id au-mta-70-ZnF7PL9fOcKFOThlfvZa4w-1; Wed, 21 Apr 2021 12:50:37 +1000
X-MC-Unique: ZnF7PL9fOcKFOThlfvZa4w-1
Received: from (2603:1096:300:5b::33) by (2603:10c6:220:144::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.19; Wed, 21 Apr 2021 02:50:30 +0000
Received: from (2603:1096:300:5b::4) by (2603:1096:300:5b::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.6 via Frontend Transport; Wed, 21 Apr 2021 02:50:30 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=none action=none
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4065.21 via Frontend Transport; Wed, 21 Apr 2021 02:50:29 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 14:50:28 +1200
Received: from ([fe80::e4e7:eb90:ab28:1bf5]) by ([fe80::e4e7:eb90:ab28:1bf5%14]) with mapi id 15.00.1497.015; Wed, 21 Apr 2021 14:50:28 +1200
From: Peter Gutmann <>
To: "Manger, James" <>, Russ Housley <>
Thread-Topic: [pkix] Why is the crlNumber an OCTET STRING?
Thread-Index: AQHXNisBKMOxCIvjxkGR+Ro1p9pc2aq9JmQAgADNMVL//zkzAIAAzrgj//9+3gCAAMpoTg==
Date: Wed, 21 Apr 2021 02:50:27 +0000
Message-ID: <>
References: <> <> <>, <>, <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 3038a9b8-37b3-46c1-725a-08d90470398d
X-MS-TrafficTypeDiagnostic: MEYPR01MB7213:
X-Microsoft-Antispam-PRVS: <>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: SIb0yjqztrPvPOTjB2J4dRezZtx/ryv70ZBXLUQUUZ3c82ZMdCmZQKT0sRQmw/biEmNb40IptChupm44qhyzSG4epGFgsYkqX/krSpPv8DnTzpIK4wNWwBGkw21t9Kw5n4sZU3sZB/voex++CtHSr2rCXBxq8pDZjMTDH8BuBTdzTkjD7CvB/1Ub281MDoJrnHkE3siVe9bKlskW0mMXMxn+r23mw2Pz9hE1FFufRo1Buc+rZhDNkpNQyjHSUUbvX/akDjdmQ56Io5gFb409MG8u4z/Iz4PXMZLm1oIy+USrqkXvsCo6YU6RLTKZ6ZpruyYoePJ107RbqXuRVA1sRnPn7Po2v37ox0OOYRjB1EAsCAS9+vggsI5Fkrs0WIJxvCB2Wh20jdEj+9O874BEXagg8r8z4SGNQys7E3JEw/AbGX52CllB2vFi2tyZYdUpbZT74y3cNq1iXAzzkwgRdIK+eNDTSlGJ0Pt7aNC/K9JmCGijTJNfoo4hrszMhO4supNvNN0yyK8uWVbrEMVCdP9JrayQ0G5HaBGDZoHrLaL7zdHAok2wnBh7sQ0/Kb36NhWp2bMPONO16rBkCJz8MMDEckFoKdVLO0xkTfsnKSXegPM9Rr7MDqrcam2Y/hLQ+pnVJCIZdMXP8AwPKih1gw==
X-Forefront-Antispam-Report: CIP:; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM;;; CAT:NONE; SFS:(4636009)(39860400002)(136003)(396003)(376002)(346002)(46966006)(36840700001)(5660300002)(8676002)(478600001)(356005)(4326008)(316002)(786003)(70586007)(36906005)(110136005)(82740400003)(66574015)(36860700001)(82310400003)(2906002)(47076005)(83380400001)(4744005)(8936002)(86362001)(336012)(7636003)(70206006)(26005)(186003)(2616005); DIR:OUT; SFP:1101
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2021 02:50:29.4706 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3038a9b8-37b3-46c1-725a-08d90470398d
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[]; Helo=[]
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEYPR01MB7213
X-Mimecast-Spam-Score: 0
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Apr 2021 02:50:48 -0000

Manger, James <> writes:

>Presumably CRLNumber has the “20 octet” language merely for consistency with
>CertificateSerialNumber. They sound so similar: numbering CRLs vs numbering

Ah, that would make sense.

Just for fun, I thought about what it would take to blow past the limits of a
generic integer value, say 64 bits.  It's not just a case of running a counter
up to whatever number it is that a twenty-byte value is called, you need to
sign and publish a CRL for each one.  Let's say, rather optimistically, that
you can do a hundred a second (since it's not just raw sigs but actually
assembling and publishing a CRL), so you're doing ~10M a day.  That's about 5
billion years of issuing CRLs as fast as you can to exceed what an integer
value can hold.

Looked at another way, if you've got some way you can run something that
requires 2^160 operations you'll be doing other things, probably related to
BTC, with it instead of mucking around with PKI.