>> I would do exactly the opposite. “Normal” entropy is fetched from the default sources (/dev/urandom). But >> when a sensitive (aka long-term) keys are generated, a (portable :) hardware RNG is plugged in and used with >> RAND_add() equivalent. Reason – in my setup reliable trusted hardware RNG is not always on. If it were, I’d >> use it as the main entropy source and be done with it. > > In general, I would agree with you. In our case, it was a requirement of the > government to trust only the SmartCard RNG. Since we use it for VPN > connections with SmartCard authentication this was no problem, because > the SmartCard must be present in order to initiate the IKEv2 exchange.
Ah, that makes a lot of difference. > The only tricky part was to deal with temporary failures of the entropy > source. Did you experience that often? How did you deal with it?
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev