> From: Edward Ned Harvey (bouncycastle) > [mailto:bouncycas...@nedharvey.com] > > Good info all around, thanks - I do have a few questions for you.
So ... Pete? Did you see this message? > First of all, given that BC is C# and java, my first question is, how closely > in- > sync do they need to remain? I am a C# developer, and I haven't done java > in 10 years. Given the unfortunate direction oracle is taking java, I plan to > leave it in my past. > > I have a checkout of the C# code, from https://github.com/bcgit/bc-csharp > If I want to contribute, should I fork it, modify, and submit pull request? > Or > should I branch and push to my own branch? (I think I would require > permission on the repo side.) > > To improve security, the very first thing I would like to add is: The default > master instance of SecureRandom should pull from > CryptoApiRandomGenerator, in addition to ThreadedSeedGenerator. And > SetSeed(GetSeed(8)) is obviously insufficient and trivially easy to improve, > and it would be very smart to periodically feed some more seed material into > the PRNG, but that would be a significant deviation from (and improvement > over) the java implementation. So is it ok to deviate from the java > implementation significantly? Not talking about changing the API. Just > improving the implementation. > > I haven't looked at the test code. I assume it would be trivial to add the > trivial > compression test to detect compressible output coming out of > ThreadedSeedGenerator. But as demonstrated in this discussion thread, the > results vary according to which platform runs the test. So adding the test > code might be basically pointless, depending on how the tests are run on > which platforms. So my question is: How are the tests run, and on which > platforms? > > I would be very happy to also contribute ThreadSchedulerRandomGenerator > (in tinhat random, it's EntropySources.ThreadSchedulerRNG) and let the > default SecureRandom seed from it too.
