[Cryptography] OpenSSL CSPRNG work
Richard Outerbridge
outer at interlog.com
Thu Jun 29 01:31:59 EDT 2017
> On 2017-06-28 (179), at 20:16:42, Ron Garret <ron at flownet.com> wrote:
>
> On Jun 28, 2017, at 3:36 PM, iang <iang at iang.org> wrote:
>
>> On 28/06/2017 02:44, Ron Garret wrote:
>>
>>> On Jun 27, 2017, at 10:42 AM, Nemo <nemo at self-evident.org> wrote:
>>> bly comparable to the risk of the /dev/urandom team screwing something up, which is to say, the risk is low, but not zero.
[…. & etc.]
> Whatever the risk is, because of the way security risks compose, it is a defensible position for OpenSSL to use its own CSPRNG rather than /dev/urandom.
Lest we forget so soon, the biggest screw ups with /dev/urandom or embedded generators in recent memory were
trivial programming errors by very experienced security programmers, and their peer-reviewing communities, no?
__outer
More information about the cryptography
mailing list