On Jan 22, 2014, at 10:13 AM, Donald Eastlake <[email protected]> wrote:
> Hi Paul, > >> Paul Hoffman (at Tuesday, January 21, 2014, 2:28:26 AM): >>> It still feels very wrong >>> for us to be suggesting to application developers that they should >>> be doing their own randomness; they should be asking their OS unless >>> they are experts, and those experts don't need an RFC. > > I don't understand why you think having an RFC means that applications > developers are supposed to implement what is described in that RFC. Why else write the RFC? Is it for developers who work on /dev/random in various OSs? If so, there is a whole different set of problems with the document, which we discussed during the round before this. > The IETF does lots of non-application level RFCs. Sure, and if this is one of those, you need to say that clearly. That's why I said I wanted to see what changes you were making in the -01. > I don't agree that > it is clear who is an expert in this area. I don't agree that any > person believed to be an expert will, in the absence of documentation, > know or take into account all the aspects of what might be called best > current practice in this area. Sure. However, I also don't think the document describes what are "best", much less "current", practices in the area. The permathreads on the cryptography mailing list makes it really clear that there is no agreement on what is "best" even among active crypto developers. They also show that many people don't even know what is "current": Ted Ts'o has had to tell folks a few times that their new ideas are in fact already implemented, at least in Linux. > IETF specifications that call for > quantities unpredictable by adversaries need to reference something. Yes. > Should they just reference the NIST documents? Definitely not. --Paul Hoffman _______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
