[gnutls-dev] Re: Feature request: not really random session keys
Simon Josefsson
jas at extundo.com
Mon Jan 30 17:51:01 CET 2006
Florian Weimer <fw at deneb.enyo.de> writes:
>> Some OSes don't have a /dev/random or worse a predictable one (some OS X).
>> Thus we need to do it on our own to be portable.
>
> Then you need a special daemon. However, I would like to avoid the
> additional administrative overhead on systems where the kernel can be
> fixed.
Hear, hear.
Moving this complexity away from applications (GnuTLS, GNU SASL,
Shishi, ...) seem like something very useful. Simply moving it to an
external daemon is good enough, improving /dev/random on Linux would
be an optimization.
Should we write a simple daemon 'grngd', based on libgcrypt, and start
to use it? That should be simple. It should likely register two
sockets, one suitable for short-term session keys and one for
long-term keys, matching /dev/urandom and /dev/random.
Is there any point for us to look at EGD?
I think I'll take up on this exercise soon.
Thanks.
More information about the Gnutls-devel
mailing list