On Friday 26 October 2007, Florian Weimer wrote: > * Nikos Mavrogiannopoulos: > > 2. Generate the parameters in a non-blocking way using /dev/urandom. > > (sol2.patch) > > Huh? At least at one point in the past, GNUTLS used /dev/urandom for DH > parameters. Has this changed?
Indeed. When I added this solution I thought RSA parameters were still generated in exim4. This is not true thought. > > I believe the third solution is the most elegant. Generating these > > parameters on the fly (sol2) even if /dev/urandom is used is time > > consuming and not really appropriate for a server. The idea is to have > > them pregenerated. > The main problem is that there is no lock on the file while it is > generated, and that a lot of work is wasted by parallel computation. > Constant DH parameters have been refused by Debian's security pundits. I don't believe there is nothing wrong with static parameters as long as they are long enough. SRP uses a set of static parameters anyway. regards, Nikos -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
