Ben Laurie
Thu, 22 May 2008 08:35:52 -0700
Steven M. Bellovin wrote:
On Tue, 13 May 2008 23:27:52 +0100 Ben Laurie <[EMAIL PROTECTED]> wrote:Ben: I haven't looked at the actual code in question -- are you saying that the *only* way to add more entropy is via this pool of uninitialized memory?No. That would be fantastically stupid.So why are are the keys so guessable? Or did they delete other code?"However, the Debian maintainers, instead of tracking down the source of the uninitialised memory instead chose to remove any possibility of adding memory to the pool at all."Ah -- you wrote "adding memory" rather than "adding entropy", which I found ambiguous.
I must confess that I said that because I did not have the energy to figure out the other routes to adding entropy, such as adding an int (e.g. a PID, which I'm told still makes it in there).
-- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]