edit: well I got that wrong. The reason seems to be they had multiple different validation methods and wanted to be able to use the same random number across the different methods. Lots of details in the incident report[0].
I'll leave this in case some find the links interesting:
For someone like DigiCert I imagine they could ensure a much higher quality source of randomness, ie multiple different hardware sources like the avalanche noise of semiconductor junctions[1], cosmic rays[2] or lava lamps[3].
It's also easier to ensure the random numbers used are of good quality when you have a single source, ie you can collect statistics as they're served.
I'll leave this in case some find the links interesting:
For someone like DigiCert I imagine they could ensure a much higher quality source of randomness, ie multiple different hardware sources like the avalanche noise of semiconductor junctions[1], cosmic rays[2] or lava lamps[3].
It's also easier to ensure the random numbers used are of good quality when you have a single source, ie you can collect statistics as they're served.
[0]: https://bugzilla.mozilla.org/show_bug.cgi?id=1910322#c17
[1]: https://ieeexplore.ieee.org/document/10295491
[2]: https://nyuscholars.nyu.edu/en/publications/muon-ra-quantum-...
[3]: https://blog.cloudflare.com/lavarand-in-production-the-nitty...