On Jan 23, 2014, at 1:57 AM, Stephen Farrell <[email protected]> wrote:
> But I do wonder to what extent we're finding such evaluations > really useful. Not. > I know they are formal form-filling requirements > in various contexts, but I'm not so sure I'm that comfortable > treating them as a first order requirement when it comes to > things we do in the IETF. Quite right. The base requirement boils down to "prove that input X gave the DBRG N bits of entropy that could not be known by any external system". That proof is always hand-waving for nearly any typical computer or network device. If the inputs are chosen conservatively enough, you can be confident that you got N unguessable bits, but you cannot prove it. > I have seen a number of credible arguments that such schemes, > as applied to crypto implementations, are actually counter- > productive. Exactly. Vendors tend to copy the claims of other systems that have earlier passed the evaluations, even when the claims do not fully apply to the new system. After a few rounds of this, the claims are meaningless and the vendor is not trying hard enough to get truly random bits. > So - how important is it that any new work in the IETF on > this topic be consistent with a requirement for implementations > to be evaluated via such schemes? > > My take would be that that's not hugely important and should > lose out to "doing the right thing," but given that some folks > do need to suffer such evaluations, we should think about 'em > but treat any evaluation-scheme-specific requirements only as > nice-to-have level requirements. Advice on where you might find the bits in typical computers and network boxes is probably useful. Advice about the value of N for input X is actively dangerous. --Paul Hoffman _______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
