>>> 3. What should I do if I want a given source to be used in addition to the 
>>> other sources, regardless of whether openssl thinks it got “enough bits” of 
>>> randomness or not?

>> Modify the source :)
    
>    Very bad answer. 

And also a wrong one.  Your application can always call RAND_add().  Sorry for 
mistake.
    
> I have no problem reading the source code. I do have a problem with (a) 
> important decisions like this not “formalized” and documented, and (b) 
> mechanisms to tune the RNG seeding not provided and clearly and 
> comprehensively documented.
   
This is a mostly volunteer open source project.  We are unlikely to commit to 
something that requires so much effort when, frankly, most of the consumers 
aren’t interested, or qualified, to make an assessment.  I am sorry if that 
sounds obnoxious or conceited.  It shouldn’t; there are many things that I know 
I’m not qualified to comment on :)  And also, we reserve the right to make 
changes.

I expect that the FIPS project, just starting, will be of interest to you. 

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to