On Wed, Apr 02, 2014 at 11:32:37AM -0700, Dan Harkins wrote:
>
> Donald is updating an existing RFC and I think the target audience for his
> update is the same as that of the existing RFC.
Well, the current language doesn't say who is the intended audience,
and the there may be people who will be reading this that aren't who
we think should be the intended audience. So being explicit about
this might be good. (BTW, what do *you* think the target audience of
the current text is?)
It might also be good to have some explicit advice for different
audiences. For example, "If you are a SOC designer, you should
include a hardware RNG, and please see FOO_REFERENCE for details about
how to create a competent hwrng."
Or, "If you are an application programmer, and your system has a
random number facility, then unless there is a really good reason not
to, you should probably use the OS's rng instead of trying to roll
your own (since you probably will get it wrong). Alternatively, if
your crypto library has a RNG, you should use that, so long as it is
documented to be for cryptographic purposes and you have initialized
it properly per its instructions."
> My hope is that another draft will be written that specifies a strong RNG
> and the target audience for that would be people writing security code,
> especially for embedded OSs that have a more blurred line between kernel
> and application.
There's an awful lot in Donald's current text which covers this
particular area already. In fact, I'd be really worried if other
audiences (i.e., application programmers) were going to try to measure
disk timing in their application code per the instructions in RFC
4086.
So I'm not sure it makes sense to have two different drafts. I'd
suggest being explicit about which pieces of its advice is more
suitable for different audiences.
Cheers,
- Ted
_______________________________________________
dsfjdssdfsd mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
