Hi Tom, On Sun, Jan 22, 2017 at 1:26 AM, Tom Worster <f...@thefb.org> wrote:
> On 1/20/17 9:55 PM, Yasuo Ohgaki wrote: > >> CSPRNG failure is like BUS error, i.e. hardware error. CSPRNG shouldn't >> fail with healthy hardware/OS. >> > > One would like to think so but low entropy environments exist. The problem > may even be getting more widespread as embedded systems become more > widespread. > > Could you tell us which platforms could have problem with CSPRNG usage? > > Therefore, we should not add poor fallback >> code for it. >> > > I don't see a need or value in breaking programs that previously worked > properly in the absence of a functioning system CSPRNG. > > mt_rand() and uniqid() were not secure before so seed them securely if you > can otherwise let them work as they did before. As I stated before, I'm supposing CSPRNG availability is not a problem for PHP environment today, OSes provide CSPRNG value unless there is something really bad things happened. i.e. hardware failure, serious OS bug. I could be wrong about this. Do you have idea what platforms will be affected? Thank you, -- Yasuo Ohgaki yohg...@ohgaki.net
