From owner-freebsd-audit Mon Nov 29 14:30:27 1999 Delivered-To: freebsd-audit@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4757415466; Mon, 29 Nov 1999 14:30:26 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 345EA1CD626; Mon, 29 Nov 1999 14:30:26 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Mon, 29 Nov 1999 14:30:26 -0800 (PST) From: Kris Kennaway To: Brad Knowles Cc: Dan Moschuk , Bruce Evans , Mike Smith , audit@FreeBSD.ORG, Warner Losh Subject: Re: cvs commit: src/sys/i386/conf files.i386 src/sys/kern kern_fork.c src/sys/libkern arc4random.c src/sys/sys libkern.h In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 29 Nov 1999, Brad Knowles wrote: > This seems like a serious problem. I think we need to fix this > as soon as we can, if we're going to have any credibility in our > audit and security processes (I think we also need to get the commit > process changed so as to help automate what we can of the > audit/re-audit process). > > Does anyone have any further thoughts in this area? Anyone know > of any available professional cryptographers who might be available > to do this kind of work? Anybody got any better contacts with Greg > Rose or Carl Ellison, or perhaps other cryptographers who might know > of potentially interested/available parties? If we were to use Yarrow, we get the review for free by virtue of it being designed & reviewed by a professional cryptographer. But, I think there are more important things we should do first to start raising our credibility wrt security (i.e. the current PRNG implementation is not bad per se, it's just perhaps suboptimal) Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message