Re: [dsfjdssdfsd] Any plans for drafts or discussions on here?

[Paul Hoffman <paul.hoffman@vpnc.org>]

On Jan 22, 2014, at 8:13 AM, Dan Harkins <dharkins@lounge.org> wrote:

>  "Ask your OS" is putting faith in the guy that wrote the relevant code
> in your OS.

Yes, exactly.

> It might be a reasonable leap but it's a leap nevertheless.

We put faith in the (~85%) guy for all the other crypto code as well, so I don't see the leap.

> Recent events should tell us that we should not trust a single source for
> these things (even if we are told that this single source is actually the
> output of a bunch of uncorrelated sources of entropy being mixed up).

That's one interpretation. Another is that attackers will look for bad implementations and use those as best they can.

>  I see value in draft-eastlake-randomness3 and I also see value in an
> Informational RFC on a good DRBG for those who feel the need to have
> a belt as well as suspenders.

We disagree here; the chance that the person writing the belt will get it wrong and make their crypto trivial to break for an attacker who knows the weakness seems much higher to me than the change that the OS got it wrong. Yes, we could put some warning at the front of the new document about this, but that warning will be ignored by programmers who are sure they know this stuff.

I could see writing something that forces them to mix in randomness from the OS to their possibly-borked DRBG in the hopes that at least that step will fix their problems. However, if we do that, nearly all the interesting technical stuff in the current document is just confusing fluff. The new document reduces to "use an HMAC with the randomness from your OS as the key and whatever stuff you think is random as the data; done".

--Paul Hoffman