[Cryptography] Use of RDRAND in Haskell's TLS RNG?

[Ron Garret]

On Nov 23, 2016, at 6:31 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> Ray Dillinger <bear at sonic.net> writes:
> 
>> A proper audit is one that's sufficient for anybody with a copy of the audit
>> to notice if there's a mistake in the claimed implementation.
> 
> That's for general fiduciary-style audits.  Remember that we're dealing with
> crypto paranoia here, for which "a proper audit" is "an audit that's far more
> comprehensive than what was applied in audit level X", for any value of X up
> to infinity.
> 
> In other words no matter how much it's audited and by whom, there will always
> be people for which it's not enough.

I think you are both missing the forest for the trees.  What matters is not so much the audit per se.  What matters is *auditability*.

The reason you want an audit is because you don’t trust the vendor. But if you don’t trust the vendor, why should you trust the auditor?  An auditor is no less fallible and no less likely to be corrupted or otherwise turned to the dark side than a vendor.  To coin a phrase, who audits the auditors?

It should not matter so much that an audit has been done (though that matters too, of course) as that it *can* be done — by anyone, not just a privileged party approved by the vendor and who has signed appropriate NDAs.  State actors can influence or infiltrate or even outright control both vendors and auditors.  The only way to protect against this is to insist that the system be architected in such a way that anyone could audit it if they wanted to.

rg