On Thu, Mar 7, 2019 at 8:54 PM bif via dev-security-policy < [email protected]> wrote:
> > But BRs are not to be interpreted, just to be applied to the letter, > whether it makes sense or not. When it no longer makes sense, the wording > can be improved for the future. > Indeed. But following BR 7.1 to the letter apparently doesn't get you all the way to compliance, by some opinions. After all, nothing in 7.1 requires anything as to the quality of the underlying CSPRNG utilized. It does not specify whether the 64-bits must be comprised of sequential bits of data output by the CSPRNG, nor does it specify that one is not permitted to discard inconvenient values (assuming you seek replacement values from the CSPRNG). It is therefore my belief that either the BR 7.1 guideline wrong/inadequate or the opinions which would hold that following BR 7.1 to the written letter are not quite adequate are wrong. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
