> previously on this list Theo de Raadt contributed: > > > Do not feed RSA private key information to the random subsystem as > > entropy. It might be fed to a pluggable random subsystem.... > > > > What were they thinking?! > > My guess considering the reasoning for introducing exploit mitigation > mitigation, would be something to do with being scared about embedded > devices having little entropy but of course and pre-empting your > reply.. in that case you probably can't trust the embedded device > anyway as the dev should be considering entropy amongst many other > things. I believe they decided to feed in RSA certs from connecting > peers too in order to share Linux poor entropy and it may have come > about as a secondary result of that without proper consideration on > the basis of crappy vendors. > > This theory is just conjecture from past news items and not the > openssl list or anything.
Huh? OK... you don't understand either. There were better options. They didn't choose them. And to this day, TODAY, it does the same everywhere.
