Entropy and DSA key

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Wed Nov 7 08:34:02 EST 2001



On Tue, 6 Nov 2001, Dave Dykstra wrote:

> On Tue, Nov 06, 2001 at 01:44:55PM -0600, mouring at etoh.eviladmin.org wrote:
> >
> >
> > On Tue, 6 Nov 2001, Dave Dykstra wrote:
> >
> > > > Before someone jumps up and starts screaming.  I'm not proposing we
> > > > suddenly drop it.  The proposal is this (not set in stone mind you):
> > > >
> > > > 3.1 - Make internal entropy --with-* option and not enabled by default.
> > > > Provide warnings at that screen and provide locations to PRNGd.  Warn
> > > > about how it will be removed in a future release.
> > >
> > > I don't mind a configure option.
> > >
> >
> > So can we at least agree that Internal Entropy should *NOT* be enabled
> > unless someone enables it via a ./configure option?  At least starting in
> > 3.1 and later?
>
> It's OK with me although I imagine it may cause more questions from
> people.  If configure bombs when it can't find prngd or /dev/random and
> tells people to enable the option then that should keep away most of the
> questions.  It could be a good way to educate people to the disadvantages
> if the message explains that.
>
That is my idea.  People don't read the warning we have now.  If a
./configure fails people are more apt to stop and think (not by much).

[..]
> > > > 4.0 - ? Remove internal entropy code.
> > >
> > > Are you saying you would continue support of libprngd.a?  If so, why not
> > > take out the internal entropy code at the same time you switch to libprngd.a
> > > in 3.5?
> > >
> > No.  In my world view there needs to be an overlap.  A few releases of
> > 'warning' that the internal entropy code is being removed before it
> > actually occurs.  This should be reserved for major release numbers.
>
> Oh, ok.  The reasons for the temporary dual support would be in case people
> have problems with the new implementation or if they don't want to deal with
> the external dependency.
>
> Thanks for the clarification.  Given Lutz's comments though the plan may
> need to be modified when the time comes.  Hopefully OpenSSL will pick up
> more support.
>

<nod> Agreed.. I think it may be time to join OpenSSL list and have a chat
with them for a while.  But not until I have spent more time in the
OpenSSL code and can provide a starting point.  I hate whining about
features without at least some form of 'proof of concept' hack.

- Ben




More information about the openssh-unix-dev mailing list