apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@covalent.net>
Subject Re: random number generation
Date Sat, 29 Dec 2001 23:44:26 GMT
From: "Ben Laurie" <ben@algroup.co.uk>
Sent: Saturday, December 29, 2001 3:25 PM


> Justin Erenkrantz wrote:
> 
> > AIUI, we must also consider that OpenSSL will do some magic to
> > the seed value on its own, so it *should* make it slightly better.
> > It'd be nice to get some input from the OpenSSL folks as they've
> > probably thought about this longer than we have (but, I'm afraid
> > I'm against a random file on-disk as *no one* wants to deal with
> > that).
> >
> > I guess the problem is trying to identify how good we want this to
> > be.  We'd only use this on platforms that don't have a source of
> > entropy (i.e. Solaris, AIX, etc.).  We're currently kind of screwed
> > on these platforms anyway - are any of these options better than
> > nothing at all?  I'm at a loss as to what we should do.  -- justin
> 
> I'm completely opposed to us subverting the whole entropy question. It
> is absolutely unacceptable for Apache to ship with anything that will
> "fix" the problem of insufficient entropy in any way other than
> providing sufficient entropy. If this means people have to think, well
> that's just tough.

Agreed - but perhaps differently.  It's something of a political question,
but if OpenSSL is the solution to crypto ... I rather expect it alone has
the maintainers and contributors to address cross platform entropy.

My question is --- is it our place to gather entropy; or do we rely upon
the OpenSSL project to do so across platforms [and fill in the gaps for
platforms that really offer nothing.]

I'm not against supplimenting Entropy [in fact, Justin and I were joking,
well half joking, that a simple output filter that recognizes only gzip
compressed data - could suppliment the entropy.]  I just question if we
have the resources to address this adaquately, or if it truly belongs in
the scope of the OpenSSL project itself.

> BTW, EGD is a cross-platform entropy gatherer. And Solaris has patches
> to provide /dev/random.

Interesting.  At least it's dual-licensed [GPL + MIT].  Note it's perl
based, however.

  http://sourceforge.net/projects/egd/

Bill


Mime
View raw message