[Cryptography] [FORGED] Re: OpenSSL and random

[Salz, Rich]

Tens of thousands of individual developers and sysadmins have downloaded, built, and installed OpenSSL.  A handful of distributions also do that, and bundle it with their release. For a variety of understandable reasons, said distro's are always out of date.

> Real developers are not generally crypto geeks.  They need an alarm bell like this to go off to let them know when something is wrong.

And if the alarm bell is "apache won't start" they will throw out openssl or swamp us with email or perhaps fall back to plaintext.

Servers do not have keyboards or screens that can be scraped for a source of entropy.

--  
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richsalz at jabber.at Twitter: RichSalz