----- Original Message -----
From: <[EMAIL PROTECTED]>
> On 20-Oct-99 at 09:53, Ben Laurie ([EMAIL PROTECTED]) wrote:
> > Exactly. The fundamental point that OpenSSL should have a pool of
> > entropy which it attempts to fill with an appropriate amount of the
> > stuff at appropriate moments is a good one.
>
> I'm not so sure about that. Oh, there's no question that OpenSSL
> should have access to such an entropy pool. I'm just not convinced
> that it should be providing it itself; especially in environments
> where the OS is already providing one (e.g., FreeBSD) and where user-
> level code may not have ready access to the basic sources of entropy
> (e.g., just about any version of unix).
I disagree. I would like to see configurable stuff already pre-coded.
Wintel
people ought to be able to access sound cards, and everybody ought
to be able to access at least the basic/standard entropy sources for their
particular OS merely by configuration, but without coding.
>
> What I'd rather see is:
>
> 1. A section of the OpenSSL documentation explaining how to
> choose good parameters for whatever tuning capability is
> available for known OS-provided entropy pools. (E.g., How
> to pick IRQs to stir the pool in FreeBSD.)
OK.
>
> 2. A side-project to assist in the creation and inclusion of
> a suitable entropy pool in any Open Source OS that doesn't
> currently provide one.
OK.
>
> This should be viewed as a short-term project (or group of
> short-term projects) with the resulting code and documentation
> handed off to the OS's core team for continued maintainance.
OK.
>
> 3. A side-project to provide general-use entropy pools as third
> party packages for Closed Source OSes that don't already have
> one. These packages should not be part of the OpenSSL source;
> but should be available separately and listed as requirements
> for installing OpenSSL on those platforms.
OK for the entropy generator source code, but OpenSSL *itself*
needs the code to decide how much entropy it needs from the OS's
entropy source at any given ppoint in time, depending on key
generation frequency.
>
> This should be viewed as an intermediate-term project intended
> to fill in a gap until the OS vendor provides a suitable entropy
> pool as part of the base system.
OK.
> -Pat
Andrew.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
