On 20-Oct-99 at 09:53, Ben Laurie ([EMAIL PROTECTED]) wrote:
> Exactly. The fundamental point that OpenSSL should have a pool of
> entropy which it attempts to fill with an appropriate amount of the
> stuff at appropriate moments is a good one.
I'm not so sure about that. Oh, there's no question that OpenSSL
should have access to such an entropy pool. I'm just not convinced
that it should be providing it itself; especially in environments
where the OS is already providing one (e.g., FreeBSD) and where user-
level code may not have ready access to the basic sources of entropy
(e.g., just about any version of unix).
What I'd rather see is:
1. A section of the OpenSSL documentation explaining how to
choose good parameters for whatever tuning capability is
available for known OS-provided entropy pools. (E.g., How
to pick IRQs to stir the pool in FreeBSD.)
2. A side-project to assist in the creation and inclusion of
a suitable entropy pool in any Open Source OS that doesn't
currently provide one.
This should be viewed as a short-term project (or group of
short-term projects) with the resulting code and documentation
handed off to the OS's core team for continued maintainance.
3. A side-project to provide general-use entropy pools as third
party packages for Closed Source OSes that don't already have
one. These packages should not be part of the OpenSSL source;
but should be available separately and listed as requirements
for installing OpenSSL on those platforms.
This should be viewed as an intermediate-term project intended
to fill in a gap until the OS vendor provides a suitable entropy
pool as part of the base system.
-Pat
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
