Steven M. Bellovin wrote:
On Tue, 13 May 2008 23:27:52 +0100
Ben Laurie <[EMAIL PROTECTED]> wrote:
Ben: I haven't looked at the actual code in question -- are you
saying that the *only* way to add more entropy is via this pool of
uninitialized memory?
No. That would be fantastically stupid.
So why are are the keys so guessable? Or did they delete other
code?
"However, the Debian maintainers, instead of tracking down the source
of the uninitialised memory instead chose to remove any possibility
of adding memory to the pool at all."
Ah -- you wrote "adding memory" rather than "adding entropy", which I
found ambiguous.
I must confess that I said that because I did not have the energy to
figure out the other routes to adding entropy, such as adding an int
(e.g. a PID, which I'm told still makes it in there).
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
