[gnutls-dev] Re: Feature request: not really random session keys

Simon Josefsson jas at extundo.com
Mon Jan 30 17:51:01 CET 2006


Florian Weimer <fw at deneb.enyo.de> writes:

>> Some OSes don't have a /dev/random or worse a predictable one (some OS X).
>> Thus we need to do it on our own to be portable.
>
> Then you need a special daemon.  However, I would like to avoid the
> additional administrative overhead on systems where the kernel can be
> fixed.

Hear, hear.

Moving this complexity away from applications (GnuTLS, GNU SASL,
Shishi, ...) seem like something very useful.  Simply moving it to an
external daemon is good enough, improving /dev/random on Linux would
be an optimization.

Should we write a simple daemon 'grngd', based on libgcrypt, and start
to use it?  That should be simple.  It should likely register two
sockets, one suitable for short-term session keys and one for
long-term keys, matching /dev/urandom and /dev/random.

Is there any point for us to look at EGD?

I think I'll take up on this exercise soon.

Thanks.




More information about the Gnutls-devel mailing list