[Cryptography] OpenSSL and random

Ray Dillinger bear at sonic.net
Wed Nov 30 19:30:58 EST 2016

On 11/30/2016 11:43 AM, John Denker wrote:

>   Given an RNG that blocks, a great many users won't tolerate it
>   in any critical path.  Instead they will roll their own PRNG,
>   with predictably terrible results.  A library must not foist a
>   blocking RNG on its users.

John.  You're telling people to do things they'd really like to be able
to do.  Things that they would do, immediately and without you even
mentioning it to them, if they could.  Things that some of us have
bought, or built, special hardware to do because we can't find any other
way.  And you're telling them not to rely on any special hardware to do
it, even though the extant standard hardware does not provide a
trustworthy way to do it.

This may explain why your oft-repeated demand is not getting much
traction here.

If this blocks, it will block so early in boot that the machine does not
reach runlevel. On any machine that has already booted up, it will never
block and running it will never cause anything else to block.

If it does block before runlevel is reached, that is a plain
configuration error that the distro people designing the boot scripts
will need to fix. It will mean, for the very same reason you just cited,
that nobody will use their broken distro.  This is, in many ways, an
ideal solution.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161130/006482e6/attachment.sig>

More information about the cryptography mailing list