"William A. Rowe, Jr." wrote: > > From: "Ben Laurie" <[EMAIL PROTECTED]> > Sent: Saturday, December 29, 2001 3:25 PM > > > Justin Erenkrantz wrote: > > > > > AIUI, we must also consider that OpenSSL will do some magic to > > > the seed value on its own, so it *should* make it slightly better. > > > It'd be nice to get some input from the OpenSSL folks as they've > > > probably thought about this longer than we have (but, I'm afraid > > > I'm against a random file on-disk as *no one* wants to deal with > > > that). > > > > > > I guess the problem is trying to identify how good we want this to > > > be. We'd only use this on platforms that don't have a source of > > > entropy (i.e. Solaris, AIX, etc.). We're currently kind of screwed > > > on these platforms anyway - are any of these options better than > > > nothing at all? I'm at a loss as to what we should do. -- justin > > > > I'm completely opposed to us subverting the whole entropy question. It > > is absolutely unacceptable for Apache to ship with anything that will > > "fix" the problem of insufficient entropy in any way other than > > providing sufficient entropy. If this means people have to think, well > > that's just tough. > > Agreed - but perhaps differently. It's something of a political question, > but if OpenSSL is the solution to crypto ... I rather expect it alone has > the maintainers and contributors to address cross platform entropy. > > My question is --- is it our place to gather entropy; or do we rely upon > the OpenSSL project to do so across platforms [and fill in the gaps for > platforms that really offer nothing.]
It would obviously be better to put any improved solutions for entropy gathering into OpenSSL rather than APR, if that's what you mean. > I'm not against supplimenting Entropy [in fact, Justin and I were joking, > well half joking, that a simple output filter that recognizes only gzip > compressed data - could suppliment the entropy.] I just question if we > have the resources to address this adaquately, or if it truly belongs in > the scope of the OpenSSL project itself. gzip compressed data provides no more entropy than the uncompressed version of the data - in fact, it provides the same amount. One advantage of compressed data is that (for certain types of source data) the compression can give you a better clue as to the amount of entropy present. > > BTW, EGD is a cross-platform entropy gatherer. And Solaris has patches > > to provide /dev/random. > > Interesting. At least it's dual-licensed [GPL + MIT]. Note it's perl > based, however. > > http://sourceforge.net/projects/egd/ As noted later in the thread, I should really have pointed at PRNGd. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
