Re: [dsfjdssdfsd] evaluating stuff (was: Re: Any plans for drafts or discussions on here?)

[Paul Hoffman <paul.hoffman@vpnc.org>]

On Jan 23, 2014, at 1:57 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

> But I do wonder to what extent we're finding such evaluations
> really useful.

Not.

> I know they are formal form-filling requirements
> in various contexts, but I'm not so sure I'm that comfortable
> treating them as a first order requirement when it comes to
> things we do in the IETF.

Quite right. The base requirement boils down to "prove that input X gave the DBRG N bits of entropy that could not be known by any external system". That proof is always hand-waving for nearly any typical computer or network device. If the inputs are chosen conservatively enough, you can be confident that you got N unguessable bits, but you cannot prove it.

> I have seen a number of credible arguments that such schemes,
> as applied to crypto implementations, are actually counter-
> productive.

Exactly. Vendors tend to copy the claims of other systems that have earlier passed the evaluations, even when the claims do not fully apply to the new system. After a few rounds of this, the claims are meaningless and the vendor is not trying hard enough to get truly random bits.

> So - how important is it that any new work in the IETF on
> this topic be consistent with a requirement for implementations
> to be evaluated via such schemes?
> 
> My take would be that that's not hugely important and should
> lose out to "doing the right thing," but given that some folks
> do need to suffer such evaluations, we should think about 'em
> but treat any evaluation-scheme-specific requirements only as
> nice-to-have level requirements.

Advice on where you might find the bits in typical computers and network boxes is probably useful. Advice about the value of N for input X is actively dangerous.

--Paul Hoffman