>>>>> "Ben" == Ben Hutchings <ben@decadent.org.uk> writes:
Ben> The output of the RNG may well become public, for example in
Ben> document UUIDs. So when estimating the entropy that the new
Ben> seed file will provide for the next boot, none of the entropy
Ben> in the old seed file should be credited.
Are you saying that you believe that given output from the RNG it is
cryptographically feasible to determine the seed?
There's a trivial reduction from that claim to a proof that the PRNG is
not in fact a PRNG.
Unless there are cryptology results I'm unaware of--and it has been a
few years since I studied the construction of PRNGs--then I don't think
your argument is reasonable.
A PRNG should be secure so long as its seed stays secret.
Now, there are a lot of ways that a seed can become not secret. So I
don't think our default should be to assume that a seed is secret.
However, especially on platforms that don't have good hardware, I do
think having a quick package you can install that gives reasonable
operation under the assumption you keep your PRNG seed secret is very
valuable.
It shouldn't be the default out of the box, but it should be easy to
turn on because it's a common configuration for our users.
What am I missing here?
Attachment:
signature.asc
Description: PGP signature