Entropy and DSA key
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Wed Nov 7 08:34:02 EST 2001
On Tue, 6 Nov 2001, Dave Dykstra wrote:
> On Tue, Nov 06, 2001 at 01:44:55PM -0600, mouring at etoh.eviladmin.org wrote:
> >
> >
> > On Tue, 6 Nov 2001, Dave Dykstra wrote:
> >
> > > > Before someone jumps up and starts screaming. I'm not proposing we
> > > > suddenly drop it. The proposal is this (not set in stone mind you):
> > > >
> > > > 3.1 - Make internal entropy --with-* option and not enabled by default.
> > > > Provide warnings at that screen and provide locations to PRNGd. Warn
> > > > about how it will be removed in a future release.
> > >
> > > I don't mind a configure option.
> > >
> >
> > So can we at least agree that Internal Entropy should *NOT* be enabled
> > unless someone enables it via a ./configure option? At least starting in
> > 3.1 and later?
>
> It's OK with me although I imagine it may cause more questions from
> people. If configure bombs when it can't find prngd or /dev/random and
> tells people to enable the option then that should keep away most of the
> questions. It could be a good way to educate people to the disadvantages
> if the message explains that.
>
That is my idea. People don't read the warning we have now. If a
./configure fails people are more apt to stop and think (not by much).
[..]
> > > > 4.0 - ? Remove internal entropy code.
> > >
> > > Are you saying you would continue support of libprngd.a? If so, why not
> > > take out the internal entropy code at the same time you switch to libprngd.a
> > > in 3.5?
> > >
> > No. In my world view there needs to be an overlap. A few releases of
> > 'warning' that the internal entropy code is being removed before it
> > actually occurs. This should be reserved for major release numbers.
>
> Oh, ok. The reasons for the temporary dual support would be in case people
> have problems with the new implementation or if they don't want to deal with
> the external dependency.
>
> Thanks for the clarification. Given Lutz's comments though the plan may
> need to be modified when the time comes. Hopefully OpenSSL will pick up
> more support.
>
<nod> Agreed.. I think it may be time to join OpenSSL list and have a chat
with them for a while. But not until I have spent more time in the
OpenSSL code and can provide a starting point. I hate whining about
features without at least some form of 'proof of concept' hack.
- Ben
More information about the openssh-unix-dev
mailing list