CAcert System Admins discussion list

[Ian G <iang AT iang.org>]

With the OpenSSL/debian debacle fresh in our minds, it seems 
that this would be a good time to think about CAcert's need 
for good random numbers.

It has frequently been pointed out that random numbers are 
devilishly difficult to deal with, something made apparent 
with the recent events.  To deal with them requires some 
sort of process and/or check and/or alternate sources, it 
would seem.

As Pat is writing the Security Manual, it would seem that 
this is the place for such a thing;  does anyone have a view 
on a simple procedure for creating a sequence of RNs that is 
useful for the tasks?

I'm expecting to see something that overcomes simple things 
like "OpenSSL delivers all zeros and we didn't notice..."

I'd guess there are two parts:  root keys (high quality 
needed) and routine protocol work (OpenSSL/httpd, SSH, etc, 
so "regular" randoms needed, whatever that means).

Any thoughts?  Pat, is there an easy place for this in the SM?

http://wiki.cacert.org/wiki/SecurityManual



iang