On Mon, 25 Sep 1995, Jim Gillogly wrote:
jsw@neon.netscape.com (Jeff Weinstein) writes: More on the RNG stuff. On Unix systems we look for ~/.pgp/randseed.bin, and feed it through the RNG hash.
Interesting idea, but I have a (perhaps irrational) dislike for this idea. If Netscape wants to have its own netsceed.bin file to muck around with on my system, I'll authorize it to be set up, but I by god don't want it mucking around with my PGP setup. ...
I thought about this a bit, but I don't think that reading randseed.bin counts as "mucking around with" the "PGP setup." PGP launders randseed.bin before saving it for just this reason, so that reading it won't reveal information on the user's session keys. And the Netscape folks have published the source code which shows that they only read the file and hash it with MD5. That the contents of randseed.bin have been mixed into an MD5 hash with a bunch of other things can hardly be called a security hole, in my estimation. David R. Conrad, conrad@detroit.freenet.org, http://www.grfn.org/~conrad Hardware & Software Committee -- Finger conrad@grfn.org for public key Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50 No, his mind is not for rent to any god or government.