From: “David R. Conrad” <drc@russell.moore.com>
To: cypherpunks@toad.com
Message Hash: 6544dabef4c0c1e89ed7d6d2891469d07da827c2f8edc6311c93651931d161fb
Message ID: <Pine.LNX.3.91.950926083206.866F-100000@russell.moore.com>
Reply To: <199509251159.EAA08528@mycroft.rand.org>
UTC Datetime: 1995-09-26 12:42:01 UTC
Raw Date: Tue, 26 Sep 95 05:42:01 PDT
From: "David R. Conrad" <drc@russell.moore.com>
Date: Tue, 26 Sep 95 05:42:01 PDT
To: cypherpunks@toad.com
Subject: Re: Netscape "random" number seed generator code available
In-Reply-To: <199509251159.EAA08528@mycroft.rand.org>
Message-ID: <Pine.LNX.3.91.950926083206.866F-100000@russell.moore.com>
MIME-Version: 1.0
Content-Type: text/plain
On Mon, 25 Sep 1995, Jim Gillogly wrote:
> > jsw@neon.netscape.com (Jeff Weinstein) writes:
> > More on the RNG stuff. On Unix systems we look for ~/.pgp/randseed.bin,
> > and feed it through the RNG hash.
>
> Interesting idea, but I have a (perhaps irrational) dislike for this idea.
> If Netscape wants to have its own netsceed.bin file to muck around with on
> my system, I'll authorize it to be set up, but I by god don't want it
> mucking around with my PGP setup. ...
I thought about this a bit, but I don't think that reading randseed.bin
counts as "mucking around with" the "PGP setup."
PGP launders randseed.bin before saving it for just this reason, so that
reading it won't reveal information on the user's session keys.
And the Netscape folks have published the source code which shows that
they only read the file and hash it with MD5. That the contents of
randseed.bin have been mixed into an MD5 hash with a bunch of other
things can hardly be called a security hole, in my estimation.
David R. Conrad, conrad@detroit.freenet.org, http://www.grfn.org/~conrad
Hardware & Software Committee -- Finger conrad@grfn.org for public key
Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50
No, his mind is not for rent to any god or government.
Return to September 1995
Return to “Phil Karlton <karlton@netscape.com>”