Do not use GnuPG under Mac OS RNG
Sun Jun 24 16:13:01 2001
-- Werner Koch <email@example.com> is rumored to have mumbled on Freitag, 22.=20
Juni 2001 15:22 Uhr +0200 regarding Do not use GnuPG under Mac OS RNG:
> || On Fri, 22 Jun 2001 08:08:50 -0400
> || Gordon Worley <firstname.lastname@example.org> wrote:
> gw> rndunix doesn't yield anything reasonably random (it's so unrandom
> gw> that just the casual observer can see the patterns), which is why =
> gw> is being used. egd passes it's self test on OS X and I've had no
> rndunix and egd are both using the same methods to collect entropy.
> So there is no difference. It just looks like EGD is better because
> its output has gone through SHA-1 hashing. It is hard to analyze a
> RNG and if its output is processed by a hash function (like EGD or
> /dev/[u]random) it is impossible to check it just by analyzing the
> STOP USING GNUPG UNDER MAC OS X AND REVOKE ALL THE KEYS YOU HAVE
> CREATED WITH THIS VERSION. YOU SHOULD ALSO REVOKE ALL DSA SIGNING
> KEYS YOU HAVE USED TO CREATE SIGNATURE WITH THIS VERSION.
Werner, thanks for letting us know. I want to make sure that I understand=20
the issue correctly. This concerns only the generation of keys, right?=20
Using keys generated on a different platform is therefore safe(r)?
Also, what can be done to fix this? Are there libraries the end user could=20
install that gnupg would then use, or is Apple the only party that can do=20
anything about this?
Ehrenfeldg=FCrtel 156, 50823 K=F6ln, Germany