[19386] in cryptography@c2.net mail archive
Re: RNG quality verification
daemon@ATHENA.MIT.EDU (Philipp =?iso-8859-1?q?G=FChring?=)
Fri Dec 23 11:36:27 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Philipp =?iso-8859-1?q?G=FChring?= <pg@futureware.at>
To: David Wagner <daw-usenet@taverner.cs.berkeley.edu>,
cryptography@metzdowd.com
Date: Fri, 23 Dec 2005 15:47:53 +0100
In-Reply-To: <200512222113.jBMLDD0h015471@taverner.CS.Berkeley.EDU>
X-MDaemon-Deliver-To: cryptography@metzdowd.com
Hi David,
> Go tell whoever wrote your requirements that they (to be frank) don't
> know what they're talking about. =20
:-)
> What they're asking for doesn't make=20
> any sense. =20
At first I had the same answer. But then I started to think it through.
And it makes far more sense to me now.
> You should ask them what problem they're trying to solve.=20
They are just trying to fulfill the legal requirements.
> Don't let them try to tell you how to solve it; you just need to know
> the goal, not the mechanism.
They just told me their requirements, and how it is normally solved.=20
I am known for inventing my own mechanisms to solve requirements.
Actually, I already developed one mechanism, that solves that problem as a=
=20
side-effect.
http://wiki.cacert.org/wiki/QualifiedCertificateRequest
But it=B4s dedicated for hardware implementations, and I need mechanism for=
=20
software implementations (mostly for the browsers) now.
> The standard solution is to just not worry about this at all, and say
> that it is the user's responsibility to choose good random numbers.
Yes. That=B4s what I am planning to do.
But what do I do, if the users ask "And how do I do that?"
It=B4s easy to say that it=B4s their responsibility.
But how should they do it?
At the moment, I wouldn=B4t even know how to do it myself, if someone asked=
me=20
to care for it.
Ok, let=B4s forget the CA and the users. How do I do it myself?
How do I make sure myself, that the browser is generating good random numbe=
rs,=20
and actually using them properly for the certificate requests?
I will be personally liable for it, it that random thing breaks.
Well, I could get a lot of paper, a good hex editor, and start calculating =
my=20
own RSA keys with pencil and paper, read through the ASN.1 specifications,=
=20
and manufacture my certificate request myself.
(Has anyone actually does that yet, and can give some time-estimations?)
> If the user fails to do so, they're the one who bears the costs of their
> failure, so why should you care?
Perhaps because I am working for a CA that actually does care.
Do you know any browser vendor that guarantees the correct generation of=20
secure random numbers and their correct usage, that offer to take liability=
,=20
if it goes wrong?
> If the goal is to hold the hands of your users, then you might want to
> think carefully about whether you want to be in that business,=20
I am already in that business. And yes, it=B4s great fun, and I like it.
> what are=20
> the most likely failure modes, and what is the best way to deal with it.
> (Trying to check whether their numbers are random probably isn't the best
> answer.) =20
Well, I have to start somewhere. And the best way to start that I could fin=
d=20
is by fulfilling the requirements that are already given. So yes, I start=20
here now. And I=B4ll try not to stop, before I haven=B4t found good answers=
to=20
all the open questions.
> Most CA's have gravitated towards the opinion that that's not=20
> something they can control, nor do they want to, nor should they --=20
I don=B4t want to control it, I want to audit it. I want the users to have =
it=20
under their control. At the moment, nobody gave them much control over the=
=20
random number quality of the keys they are using.
> and=20
> that sounds reasonable to me. =20
Yes, it=B4s reasonable, if you aren=B4t paranoid enough. I thought exactly =
the=20
same way, before I started to think more about this specific topic more=20
detailled. Now I think it=B4s a bit negligent to ignore the topic completel=
y.
But perhaps there are bigger problems, yes. (Sometimes little problems are=
=20
easier to solve than bigger problems ...)
> But if you want to be in the hand-holding=20
> business, you're going to have to do an awful lot more than just check
> the random numbers.
Yes. Do you have a TODO list for me?
Thanks for your input,
Philipp G=FChring
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
