[schoen]

In fact, without a practical attack against SHA256, all of the serial number bits could be zeroed. This is undesirable for other reasons, but the serial number isn't part of the cryptographic security of the certificate except as far as it can be used to prevent the person requesting the certificate from anticipating or controlling what the entire signed data will be.

[tialaramex]

Well not _all_ the bits. We do want the serial numbers to be non-identical because you need a way to talk about specific certificates for validity checking. Once upon a time bug reports would have focused on certificate serial numbers, these days they're more likely to be crt.sh links but arguably we should discourage that because crt.sh could go away some day.

[schoen]

Yep, that's what I mean by "for other reasons". (Without distinctive serial numbers or crt.sh, we would probably have to attach PEM copies of the certificate in every discussion about it.)