WRT generic use of RNGs in IETF protocols:
On 12/07/2026 09:06, John Mattsson wrote:
I think this discussion would be better held in a broader IETF context rather than within individual TLS KEM drafts. The best outcome would be for an IETF working group to produce an RFC4086bis that other RFCs could reference. Such an update should point implementers to existing standards, such as relevant NIST publications, and widely deployed implementations such as Linux /dev/ random. RFC 4086 is a good document on the principles of randomness, but it is no longer a good implementation manual for someone writing a TLS stack in 2026. I also do not think the NIST specifications are perfectly suitable. They are focused on cryptographic modules and do not ephasize essential principles such as combining multiple entropy sources and continuously incorporating fresh entropy into the RNG state.
The above seems sensible. IIRC 4086 was AD sponsored, which'd have been my initial take on how to process a successor, but it's quite arguable that a WG could be better now, esp since we have new fancy crypto here and there (e.g. ppm) where some new issues might arise. A WG is probably more likely to result in such issues being thought through. I don't think having such a WG means we ought not add text to e.g. the ml-kem drafts. While lots of duplication is bad, a little bit of duplication can be just right:-) Cheers, S.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
