Re: Netscape "random" number seed generator code available

[Jim Gillogly <jim@acm.org>]

> jsw@neon.netscape.com (Jeff Weinstein) writes:
> More on the RNG stuff.  On Unix systems we look for ~/.pgp/randseed.bin,
> and feed it through the RNG hash.  On Unix and PC systems we feed the
> environment through the hash, so that would be a good place for a
> concerned user to put some random stuff of their own.

Interesting idea, but I have a (perhaps irrational) dislike for this idea.
If Netscape wants to have its own netsceed.bin file to muck around with on
my system, I'll authorize it to be set up, but I by god don't want it
mucking around with my PGP setup.  Network-aware programs must be more
trusted than local-only programs, because they are the only kind that
legitimately export information they glean from the local environment.  If
Netscape decided to ship the actual contents of my randseed.bin to
somebody else (like escrow.fbi.org, for example) it might give them else a
better edge on finding session keys for my PGP sessions... the privacy of
which I value more even than I value my Netscape transactions.

I'm nervous enough about all the Easter Eggs that have been reported in
Netscape, like the secret keystroke shortcut to get to Fishcam, or the
different behavior it exhibits when it finds a certain obscurely-named
directory at the top level.  If it starts peeking at my PGP environment,
though, I'm drawing the line.  No, thanks.

In summary -- set up your own netsceed.bin if you want, but don't peek
at my PGP randomness.

	Jim Gillogly
	Trewesday, 4 Winterfilth S.R. 1995, 11:57