WRT generic use of RNGs in IETF protocols:

On 12/07/2026 09:06, John Mattsson wrote:
I think this discussion would be better held in a broader IETF
context rather than within individual TLS KEM drafts. The best
outcome would be for an IETF working group to produce an RFC4086bis
that other RFCs could reference. Such an update should point
implementers to existing standards, such as relevant NIST
publications, and widely deployed implementations such as Linux /dev/
random.

RFC 4086 is a good document on the principles of randomness, but it
is no longer a good implementation manual for someone writing a TLS
stack in 2026. I also do not think the NIST specifications are
perfectly suitable. They are focused on cryptographic modules and do
not ephasize essential principles such as combining multiple entropy
sources and continuously incorporating fresh entropy into the RNG
state.

The above seems sensible. IIRC 4086 was AD sponsored, which'd have
been my initial take on how to process a successor, but it's quite
arguable that a WG could be better now, esp since we have new fancy
crypto here and there (e.g. ppm) where some new issues might arise.
A WG is probably more likely to result in such issues being thought
through.

I don't think having such a WG means we ought not add text to e.g.
the ml-kem drafts. While lots of duplication is bad, a little bit
of duplication can be just right:-)

Cheers,
S.

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to