Hello, I found confirmation on the Botan site that they didn't do what would have been logical, namely to incorporate /dev/random when possible:
> To ensure good quality output, a PRNG needs to be seeded with truly random > data. Normally this is done for you. However it may happen that your > application has access to data that is potentially unpredictable to an > attacker. If so, use > > void RandomNumberGenerator::add_entropy(const byte* data, size_t length) > > See: http://botan.randombit.net/rng.html I didn't find build instructions to say "use local entropy devices/daemons whenever available" let alone "require their service at startup". What a pitty -- it sounds like they leave it to SoftHSM to do this work, even if the OS has proper sources of entropy. When the OS has no such source, I can relate to what they are doing with status information from the running OS. There is no way to satisfy paranoia anymore then -- software can't create entropy that doesn't exist in hardware and will ultimately trigger someone's paranoia. -Rick_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
