[cabfpub] Definition of Random Value on draft ballot re new domain validation methods
Ryan Sleevi
sleevi at google.com
Mon May 4 19:41:19 MST 2015
On May 4, 2015 6:38 PM, "kirk_hall at trendmicro.com" <kirk_hall at trendmicro.com>
wrote:
>
> The problem is, one of the most common random number generating tool is
the MS GUID generator, and my understanding is that it falls just short of
128 bits of entropy.
>
I have never heard of a GUID described as "a random number generating
_tool_". While certainly true that GUIDs can be generated randomly (Version
4 UUIDs, described in RFC 4122, Section 4.4), and true they have 122 bits
of entropy, that seems entirely unnecessary to call them a random number
generating tool.
More importantly, it's not guaranteed to use a cryptographically-strong
PRNG.
So why not just grab the full 128 bits from your favourite source of
entropy? Yes, I realize we are haggling over 6 bits, but more to the
principal seems a distinction between "do what's convenient" vs "do what is
obvious to everyone", the latter being just 128 with a CSPRNG.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150504/bd23519a/attachment.html
More information about the Public
mailing list