[re-sending to es-discuss] Shabsi Walfish wrote: > This depends on what you consider to be the basic use case. Generating > long-lived cryptographic keys absolutely requires high quality entropy... if > you are only generating short-lived authenticators (that are not used for > encryption) then you could get away with weaker entropy. You will get the > most mileage out of this feature if it can be used to generate encryption > keys, or long-lived signing keys.
Personally, I think discussion about the "quality" of the PRNG is a distraction. The PRNG should produce crypto-quality random numbers. Period. That's all that need be said. That's good enough. It's good enough for short-lived authenticators, good enough for encryption keys, good enough for any signing key that's going to be used in Javascript. It's just plain good enough. There's no need for an interface to request or query or specify the quality or entropy of the random numbers. Callers should be able to rely upon it to be crypto-quality. Browsers can deliver on that. My advice is: Keep the API as simple as it possibly can be. Don't get distracted with twirly knobs and added complications. A simple API will be plenty to get the job done. Stay on target. _______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
