On Thu, Jul 10, 2008 at 05:49:27PM +0200, Simon Josefsson wrote: > Do be careful about using that function though: its exact semantics are > not documented as far as I know. It may result in having long-term > private key based on no or little entropy.
The current library does the "right" thing; i.e. random bytes are obtained from /dev/urandom. But if it's undocumented, then it might change in the future to use the output of rand() or something, which would be bad indeed. The problem is that people run key generation with libgcrypt on machines that gather very little entropy into /dev/random, and key generation can literally take over an hour. I'm happy to use /dev/urandom instead, since the output of a PRNG that only gets, say, 200 bits of entropy, had better be indistinguishable from a truly random source. But if libgcrypt decides to make that call use an even weaker source for some reason, Badness would indeed occur. What do people think? - Ian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
