[Ach] openssl 1.0.1f on debian uses (only) 256bit entropy for key generation

Aaron Zauner azet at azet.org
Thu Mar 20 00:44:57 CET 2014

Hi Kurt,

Kurt Roeckx wrote:
> On Wed, Mar 19, 2014 at 11:59:09PM +0100, Aaron Zauner wrote:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742145
> As I understand this, this is not Debian specific 

> and no problem
> for (RSA) keys going to at least 8192 bit.  If you need larger
> keys you might need more entropy and you'll need to be careful
> about it, but I currently don't see the need for more than 256
> bit.
Yes. No need to panic here, that's simply a "FYI mail". But:
Since Linux 2.6 we have an entropy pool of 4096+ bit serving the whole
system. Why not adopt something similar? I'm not saying it's required
for the generation of keys people do currently deploy, but it might be
needed in the future, so why not make it available?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140320/91c34124/attachment.sig>

More information about the Ach mailing list