[Cryptography-dev] OpenSSL Random Engine PR

[Jean-Paul Calderone]

On 01/20/2014 03:51 PM, Paul Kehrer wrote:
> On Monday, January 20, 2014 at 1:26 PM, Jean-Paul Calderone wrote:
>> Since the idea is to use urandom, this won't cause a problem as
>> obvious as blocking the SSL server waiting for more entropy.  It will
>> exhaust what the system (at least on Linux, I don't know much about
>> urandom on other platforms) considers the actual amount of available
>> entropy.  This may mean that any other process that really wants
>> /dev/random may be unable to operate.
>>

Sorry, I think I was unclear here.  I don't care about the blocking vs
non-blocking nature of urandom and random.  I used "/dev/random" to
represent the idea of a higher-quality random source (as compared to
/dev/urandom).

I care about the idea that reading a lot of entropy from either device
(again, it doesn't matter which) results in "draining the entropy
pool".  It sounds like some responders think that "draining the entropy
pool" isn't a real thing that can happen and should be ignored.  Fine,
that's a coherent response.  It's somewhat in contrast with (well,
directly contradicts) the /dev/urandom man page for Linux but I can
accept that the people who wrote that may have been mistaken. :)  If
that's really what people are saying here?

Also, this makes me curious - which device did the people on this list
use to generate their private GPG/SSH/SSL/etc keys?  /dev/random or
/dev/urandom?

Jean-Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140120/2ab5015e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140120/2ab5015e/attachment.sig>