</chair> [M] The third paragraph on randomness sources should refer to RFC 4086 and > MUST NOT > use the term "pseudo-randomness" as this will be understood by > implementers to refer > to horribly insecure PRNGs. Just refer to RFC 4086, and make sure that > whatever is > said here is consistent with that (both content and terminology usage). >
After briefly perusing RFC 4086, I'm not sure anyone anywhere should reference it anymore. I'll go into more detail on the CFRG mailing list when I get a chance, but my immediate thoughts are that RFC 4086 reads more like an academic field survey, not a best practices document, and that it doesn't reference the actual BCP of 2016, which is to use HKDF. (It does include a description of X9.82, which is probably also okay, but is buried near the end of the document, long after an implementor would have gone to sleep.) Kyle
_______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
