Hi Paul, > Paul Hoffman (at Tuesday, January 21, 2014, 2:28:26 AM): >> It still feels very wrong >> for us to be suggesting to application developers that they should >> be doing their own randomness; they should be asking their OS unless >> they are experts, and those experts don't need an RFC.
I don't understand why you think having an RFC means that applications developers are supposed to implement what is described in that RFC. The IETF does lots of non-application level RFCs. I don't agree that it is clear who is an expert in this area. I don't agree that any person believed to be an expert will, in the absence of documentation, know or take into account all the aspects of what might be called best current practice in this area. IETF specifications that call for quantities unpredictable by adversaries need to reference something. Should they just reference the NIST documents? Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA [email protected] _______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
