Paul, On Mon, January 20, 2014 5:28 pm, Paul Hoffman wrote: > On Jan 20, 2014, at 5:53 PM, Donald Eastlake <[email protected]> wrote: > >> I've been a bit snowed under just recently and this week but I have >> accumulated some changes and suggestions on the randomness requirement >> sod security draft and do plan to do a revision soon. > > It would be good to see those revisions. It still feels very wrong for us > to be suggesting to application developers that they should be doing their > own randomness; they should be asking their OS unless they are experts, > and those experts don't need an RFC.
"Ask your OS" is putting faith in the guy that wrote the relevant code in your OS. It might be a reasonable leap but it's a leap nevertheless. Recent events should tell us that we should not trust a single source for these things (even if we are told that this single source is actually the output of a bunch of uncorrelated sources of entropy being mixed up). I see value in draft-eastlake-randomness3 and I also see value in an Informational RFC on a good DRBG for those who feel the need to have a belt as well as suspenders. Dan. _______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
