On 10/2/2012 2:04 PM, Stefan H. Holek wrote:
Hi All,

Here is something I am not able to figure out, even after checking the FAQ and 
the rand(3) man page:

When using the openssl command line utility, is a private RANDFILE per CA 
required for security reasons, or is it just fine to use a single RANDFILE for 
everything (i.e. the default ~/.rnd)? Older configuration files seem to 
indicate the former, but is this still true?

IOW, I am looking for an answer to whether not having its own RANDFILE degrades 
the security of a CA.

Thank you,
Stefan


I would say it degrades it, as it makes the randomness used by each CA less random.

I would also suggest getting a real hardware RNG source and directly or
indirectly feeding it into OpenSSL. These are commercially available and typically cheap, and they are still not included with most computer
hardware, despite many failed initiatives in the past.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to