Hi! > > On Wed, Dec 23, 2020 at 3:17 PM Petr Tesarik <ptesarik@xxxxxxx> wrote: > > > Upfront, let me admit that SUSE has a vested interest in a FIPS-certifiable Linux kernel. > > > > Sorry, but just because you have a "vested interest", or a financial > > interest, or because you want it does not suddenly make it a good > > idea. The idea is to have good crypto, not to merely check some boxes > > I never suggested that this should serve as a supportive argument. I was just trying to be honest about our motivations. > > I'm a bit sad that this discussion has quickly gone back to the choice of algorithms and how they can be implemented. The real issue is that the RNG subsystem has not developed as fast as it could. This had not been much of an issue as long as nobody was really interested in making any substantial changes to that code, but it is more apparent now. Torsten believes it can be partly because of a maintainer who is too busy with other tasks, and he suggested we try to improve the situation by giving the RNG-related tasks to someone else. > (Please wrap at 80 columns). To play devil's advocate, does RNG subsystem need to evolve? Its task is to get random numbers. Does it fail at the task? Problem is, random subsystem is hard to verify, and big rewrite is likely to cause security problems... Best regards, Pavel -- http://www.livejournal.com/~pavelmachek
Attachment:
signature.asc
Description: Digital signature