[Help-gnutls] Re: About entropy gathering

devel dev001 at pas-world.com
Wed Jan 31 19:27:28 CET 2007


O mié, 31-01-2007 ás 12:58 +0100, Simon Josefsson escribiu:

> If the time-limit is 30s, you then wouldn't be able to generate a
> private key on your athlon64, while waiting longer would make that
> possible.  Deciding on the time-limit is difficult.  On smaller
> machines, generating the required entropy can take many minutes.


You said that you can not choose time limit, this is true. But user can,
he knows machine and hardware. Typical time limit could be 3600seconds
or more with default config file, or define directive.

Really this option (time limit) is not needed, but in some case the
computer is slow, no cpu used, no hard disk noise, and pseudo random
data have low throught, and program do not exit.

Where is the problem?, said the user.

> 
> A process indicator might be useful, and if someone wants to work on
> adding one -- just read one byte of randomness at a time and display
> some progress to the user after each byte has been read -- I'd like to
> integrate it.

> However, when you talk about 'server', what do you mean?  Generating
> RSA/DSA private keys or DH parameters can block, but a GnuTLS server
> should never (if I understand how we are using libgcrypt correctly).
> If you are having a GnuTLS server block on randomness, please give
> more details -- that shouldn't happen.
> 
> /Simon

"Server" as machine that signs, make keys and certicates, really
computer, this is a mistake.

Personal computer do not need too much real random data (nowdays), and
in professional computer, administrator should test hw_rng and bytes/sg.


Well, it's true, time limit does not seem very useful.


--
Devel it, Precio http://www.pas-world.com






More information about the Gnutls-help mailing list