Josef Wolf wrote: > Don't most unices have /dev/random nowadays? I never planned to run > this thing on a windows box :)
GnuPG has been ported to many platforms. BeOS, OpenVMS, Win32, and many more that have no /dev/random. > Hmm, the only drawback I see is a slowdown. The application will > just hang and wait for more entropy to arrive. As Daniel Keys Moran wrote in _The Last Dancer_, the mark of a half-assed software design is its inability to fail gracefully. Most software today would be lucky to be even half of that. GnuPG may fail well in that situation. But will _all_ your applications fail well in that situation? Especially ones which can't afford to block for minutes until the /dev/random pool replenishes? Being a good software citizen means being sparing in your use of limited systemwide resources. Thus, apps should avoid using /dev/random unless there's a clear and critical need. >> 3. /dev/random is, as I understand it, an ad-hoc design. Many >> people who need crypto software need vetted, certified designs >> (even if the software itself isn't certified). E.g., some people >> may require ANSI X9.17 RNG. With a software RNG, it's fairly easy >> to just drop in whatever RNG you need. > > Ough... I always thought /dev/random has the highest possible > quality. How can a RNG be more random than real entropy? Again, you're missing the point. If /dev/random is set up to be access for a radioisotope RNG on one system, you have absolutely no guarantee it'll be a radioisotope RNG on all systems. You have absolutely no guarantee it'll be a radioisotope RNG even on all UNIX systems. Depending on how often you upgrade your hardware, you may not even be able to guarantee it's a radioisotope RNG on _your_ system. GnuPG has no control over how each UNIX handles /dev/random. If GnuPG has no control over that, then GnuPG isn't going to rely on that. GnuPG _can_ rely on its own internal pseudorandom number generator. And thus, it gets a random seed from some believed-good source (varies from platform to platform), and successive calls to the PRNG just use that instead. You need to recognize that GnuPG is not a Linux-only platform, and considerable work has gone into it to make it work on as many platforms as possible. This means disregarding certain OS features that would tie it narrowly to one specific operating system. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
