On Wed, Apr 02, 2014 at 10:02:24AM -0700, Paul Hoffman wrote:
>
> Personally, I have a strong hesitation of a BCP using phrases like
> "a few bits of entropy" if we can't measure them and if we don't
> even know if they exist.
One of the problems is that there is a lot of nuance which is
required. For example, if you can't change the hardware, on a mobile
device, one of the few sources of unpredictability might be the radio
strength --- if you grab this in early boot and if you know that the
values aren't being fed via centralized logging scheme. It's not
really _entropy_ per se, but if you are assuming that someone sitting
in Fort Meade won't know whether your cell phone is in your knapsack
under the steel desk, or on top of the desk, it probably does add a
certain amount of protection.
Ditto grabbing touch screen information; sure, if someone has a camera
surveilling you, it might not have much unpredictabiliy, but it's
still probably a good thing to mix into your entropy pool.
And if we try to tell people that if you can't do anything at all
which is True Entropy (tm), you might as well go home, then people
might just do that.
- Ted
_______________________________________________
dsfjdssdfsd mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
