On Sun, 31 May 2015, Daniel Kahn Gillmor wrote: > The other alternative if you wanted fixed seeds would be to use some > high-entropy value from the real world that would be unpredictable, > hard to control, but not too hard to verify (e.g. a digest of the > concatenated UTF-8 representations of the top headline from each of > the 10 highest-circulation newspapers on the day of re-generation, or > something similar). IMO it's still pointless - NUMS-style generation might be useful in cases where there exists suspicion (but no proof) that some parameter choices might be trapdoor-able. There's not even the faintest hint that this might be the case for the DLP in arbitrary strong prime modp groups. If vendors are concerned about the moduli that OpenSSH ships, I'd recommend either generating your own (using ssh-keygen or some independent means) or auditing what we do using primo or some similar ECPP tool. Getting a good, open-source primality prover would be nice too... -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev