[cryptography] Applications should be the ones [GishPuppy]

267 at gishpuppy.com 267 at gishpuppy.com
Thu Feb 16 21:45:41 EST 2012


Nico Williams wrote:

> Applications (in the Unix sense) should not be the ones seeding the
system's PRNG.  The system should ensure that there is enough entropy
and seed its own PRNG (and mix in new entropy).

Exactly the opposite.

Application creator/maintainer is always in the trust chain; this can not 
be avoided. As the well-known Debiandebacle demonstrated, there is 
every good reason to remove the operating system creator/maintainer
from the trust chain. There is a reasonable chance that a security-critical
application is constructed and maintained by someone who is skilled
in security programming; there is very low chance this is the case with
the operating system.    

Lisa U.

Gishpuppy | To reply to this email, click here: 
http://www.gishpuppy.com/cgi-bin/edit.py?email=267@gishpuppy.com



More information about the cryptography mailing list