Philipp G#ring <[EMAIL PROTECTED]> writes: >I have been asked by to verify the quality of the random numbers which are >used for certificate requests that are being sent to us, to make sure that >they are good enough, and we don´t issue certificates for weak keys.
Go tell whoever wrote your requirements that they (to be frank) don't know what they're talking about. What they're asking for doesn't make any sense. You should ask them what problem they're trying to solve. Don't let them try to tell you how to solve it; you just need to know the goal, not the mechanism. The standard solution is to just not worry about this at all, and say that it is the user's responsibility to choose good random numbers. If the user fails to do so, they're the one who bears the costs of their failure, so why should you care? If the goal is to hold the hands of your users, then you might want to think carefully about whether you want to be in that business, what are the most likely failure modes, and what is the best way to deal with it. (Trying to check whether their numbers are random probably isn't the best answer.) Most CA's have gravitated towards the opinion that that's not something they can control, nor do they want to, nor should they -- and that sounds reasonable to me. But if you want to be in the hand-holding business, you're going to have to do an awful lot more than just check the random numbers. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]