Entropy and DSA key

Dave Dykstra dwd at bell-labs.com
Wed Nov 7 08:28:10 EST 2001


On Tue, Nov 06, 2001 at 01:44:55PM -0600, mouring at etoh.eviladmin.org wrote:
> 
> 
> On Tue, 6 Nov 2001, Dave Dykstra wrote:
> 
> > > Before someone jumps up and starts screaming.  I'm not proposing we
> > > suddenly drop it.  The proposal is this (not set in stone mind you):
> > >
> > > 3.1 - Make internal entropy --with-* option and not enabled by default.
> > > Provide warnings at that screen and provide locations to PRNGd.  Warn
> > > about how it will be removed in a future release.
> >
> > I don't mind a configure option.
> >
> 
> So can we at least agree that Internal Entropy should *NOT* be enabled
> unless someone enables it via a ./configure option?  At least starting in
> 3.1 and later?

It's OK with me although I imagine it may cause more questions from
people.  If configure bombs when it can't find prngd or /dev/random and
tells people to enable the option then that should keep away most of the
questions.  It could be a good way to educate people to the disadvantages
if the message explains that.


> > > 3.5 - ? Provide ability to link with a libprngd.a instead of compiling w/
> > > our internal entropy.
> >
> > No problem.  I assume libprngd.a would be part of the prngd package then,
> > not the OpenSSH package, and since you wouldn't have to maintain it, it
> > would make your life easier.
> >
> That was my initial idea yes.
> 
> > > 4.0 - ? Remove internal entropy code.
> >
> > Are you saying you would continue support of libprngd.a?  If so, why not
> > take out the internal entropy code at the same time you switch to libprngd.a
> > in 3.5?
> >
> No.  In my world view there needs to be an overlap.  A few releases of
> 'warning' that the internal entropy code is being removed before it
> actually occurs.  This should be reserved for major release numbers.

Oh, ok.  The reasons for the temporary dual support would be in case people
have problems with the new implementation or if they don't want to deal with
the external dependency.

Thanks for the clarification.  Given Lutz's comments though the plan may
need to be modified when the time comes.  Hopefully OpenSSL will pick up
more support.

- Dave Dykstra



More information about the openssh-unix-dev mailing list