On Tue, May 28, 2002 at 03:55:31PM -0400, Perry E. Metzger wrote:

 > I partially (but only partially) agree. I think burning the use of rc4
 > into the API is a mistake. We can simply have an API that puts out
 > random numbers of particular sorts, and the implementation of one of
 > them could (or might not be) rc4. Could we change this in that way?

We should have a good API for which arc4random() can be a crappy-api-wrapper
(not only is the name stupid, but how it returns data is also stupid; it
should just put a pseudo-random data stream into a caller-provided buffer,
rather than returning a 32-bit value).

Now, I am not a cryptographer, but, ss far as I'm concerned, it matters
not if the arc4random() API returns data from an RC4-based generator ...
as long as it returns random data that is at least as good as an RC4-based
generator's.

-- 
        -- Jason R. Thorpe <thorpej@wasabisystems.com>