From owner-freebsd-security@FreeBSD.ORG Mon Sep 24 17:47:10 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 15745106564A; Mon, 24 Sep 2012 17:47:10 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 550DA8FC15; Mon, 24 Sep 2012 17:47:08 +0000 (UTC) Received: by lbbgg13 with SMTP id gg13so8715426lbb.13 for ; Mon, 24 Sep 2012 10:47:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=EkS4nGuelOE3VrO2wzy+zExvxrfJyyKB2BrKr4gpfUs=; b=iIxBKdeITUOLNrhzjZ+U1uV+wIgKBZtR3rFuSFy3YPd4ETM+28xtMovmFtkHSLW/Ic k9DN8tpiEKRGxrOp2+JsNOq66vMi7nK+c++FtuaPxb5/EzDQ6iBN4CkhyBp6FRXtcvpz SacqAo3V3t/3N1qef/b2/RBcG1+vWm6vXwPulUztzGF9tcgjj4t/d6uwlwsCXG1gcyt9 n8OoDNFDwTjcIkDIg0sHU2eqsBGN3M8BEFwezfXBE/og9+zbxbT3s0LnLQtZ7jGQQIu4 WqlzsVdzfXmnoHHPN7tkUkFvajKlVgQ2rXD0VwLMTM1AwvanTNMVlQ6qjm8KbgZ8vRyQ 0UHA== MIME-Version: 1.0 Received: by 10.152.124.180 with SMTP id mj20mr11266277lab.43.1348508827957; Mon, 24 Sep 2012 10:47:07 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.114.58.147 with HTTP; Mon, 24 Sep 2012 10:47:07 -0700 (PDT) In-Reply-To: <86haqnsrx2.fsf@ds4.des.no> References: <505FDA03.5020207@FreeBSD.org> <86haqnsrx2.fsf@ds4.des.no> Date: Mon, 24 Sep 2012 18:47:07 +0100 X-Google-Sender-Auth: BR4aD_du6GIgMzJfpenxVKk2CuI Message-ID: From: Ben Laurie To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: rc.d/postrandom X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 17:47:10 -0000 On Mon, Sep 24, 2012 at 10:15 AM, Dag-Erling Sm=F8rgrav wrote: > Doug Barton writes: >> If you disagree with what this script is doing, please speak up. > > Do you mean initrandom? I dislike it only slightly less now than I did > before. I hope Pawel's patch works out so we can nuke it.\ He means postrandom. Which deletes all saved entropy because of fear of replay attacks. IMO, this doesn't make much sense - if you don't have sufficient fresh entropy to mix into the pool, then deleting your saved entropy makes you more vulnerable, not less. And if you do, you're not vulnerable anyway. So, I'm with Dough on this one.