> I am still of the fairly firm beleif that the mistrust in the > hardware vendors' ability to make a reasonable and robust > implementation is without foundation.
I don't doubt the ability. I don't doubt that they _can_. I question whether they _do_. (And, indeed, there has been at least one incident that demonstrates that on occasion they don't.) If I am ever in a situation where I need randomness good enough that I care about things like the accuracy of entropy estimates, I expect the applicable threat model will consider CPU manufacturers untrusted. Thus, I would want the system to consider RDRAND and its ilk same as any potential other source of entropy: trusted to generate real unpredictability only when specifically configured that way. (The question of what the default should be is a separate one.) Of course, in a situation like that, I would also want to do all the relevant processing on CPUs (and, where applicable, other hardware) old enough to predate the reasons for caring about that level of unpredictability, because it makes them significantly less likely to have been trojaned. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B