Christian Huitema <huit...@huitema.net> writes: >For one thing, it conflicts with the general advice that developers should >not invent their own PRNG,
You're not inventing your own PRNG, you're using the TLS PRF, or some equivalent (I use PBKDF2, HKDF is also nice). >and should use a good crypto RNG when available. You're generating public nonces, you could use SHA-1 in a loop or a CRC32 or whatever, the values are public. All you're doing is isolating the output of the nonce generator from your crypto-key generator. In fact the very thing you absolutely don't want to use here is your good crypto RNG. >Also, when we make such a recommendation in the TLS spec, we can hope that it >will be heeded by the TLS developers, but what about the developers of >applications and protocols sitting on top of TLS, such DTLS, QUIC or HTTP? They don't need to know or care about this, it's being used to generate the TLS nonce which is invisible to anything running over TLS. Are we talking about the same thing here? Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
