Re: [dsfjdssdfsd] Any plans for drafts or discussions on here?

Paul Hoffman <> Wed, 22 January 2014 16:28 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6C7891A014B for <>; Wed, 22 Jan 2014 08:28:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rI7G7iU3EaXI for <>; Wed, 22 Jan 2014 08:28:45 -0800 (PST)
Received: from (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by (Postfix) with ESMTP id 53DF21A035D for <>; Wed, 22 Jan 2014 08:28:45 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.7/8.14.7) with ESMTP id s0MG8Xx9096042 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 22 Jan 2014 09:08:34 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
Content-Type: text/plain; charset="us-ascii"
From: Paul Hoffman <>
X-Priority: 3 (Normal)
In-Reply-To: <>
Date: Wed, 22 Jan 2014 08:28:41 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <>
To: Dan Harkins <>
X-Mailer: Apple Mail (2.1827)
Subject: Re: [dsfjdssdfsd] Any plans for drafts or discussions on here?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Jan 2014 16:28:46 -0000

On Jan 22, 2014, at 8:13 AM, Dan Harkins <> wrote:

>  "Ask your OS" is putting faith in the guy that wrote the relevant code
> in your OS.

Yes, exactly.

> It might be a reasonable leap but it's a leap nevertheless.

We put faith in the (~85%) guy for all the other crypto code as well, so I don't see the leap.

> Recent events should tell us that we should not trust a single source for
> these things (even if we are told that this single source is actually the
> output of a bunch of uncorrelated sources of entropy being mixed up).

That's one interpretation. Another is that attackers will look for bad implementations and use those as best they can.

>  I see value in draft-eastlake-randomness3 and I also see value in an
> Informational RFC on a good DRBG for those who feel the need to have
> a belt as well as suspenders.

We disagree here; the chance that the person writing the belt will get it wrong and make their crypto trivial to break for an attacker who knows the weakness seems much higher to me than the change that the OS got it wrong. Yes, we could put some warning at the front of the new document about this, but that warning will be ignored by programmers who are sure they know this stuff.

I could see writing something that forces them to mix in randomness from the OS to their possibly-borked DRBG in the hopes that at least that step will fix their problems. However, if we do that, nearly all the interesting technical stuff in the current document is just confusing fluff. The new document reduces to "use an HMAC with the randomness from your OS as the key and whatever stuff you think is random as the data; done".

--Paul Hoffman