[Help-gnutls] Alternate random device for certtool

Werner Koch wk at gnupg.org
Thu Dec 4 22:00:46 CET 2008


On Thu,  4 Dec 2008 19:52, nmav at gnutls.org said:

>>     gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);

> Why is this? As far as I understand the only difference was that it uses
> /dev/urandom instead of /dev/random.

Because this has always been the case.  QUICK_RANDOM was and is just a
testing hack.

>>   @item transient-key

> Is this stronger than using /dev/urandom?

It is not a matter of being stronger but of being a feature.
transient-key is suposed to be used for one-off keys and other keys
which are not that valuable.  In general it is always better to use the
defaults for generating a key; see onl the recent BSD problems with
their RNG.  This would not have been the case with a blocking one.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.




More information about the Gcrypt-devel mailing list