Subject: Re: arc4random(9)
To: Perry E. Metzger <firstname.lastname@example.org>
From: Jason R Thorpe <email@example.com>
Date: 05/28/2002 13:06:33
On Tue, May 28, 2002 at 03:55:31PM -0400, Perry E. Metzger wrote:
> I partially (but only partially) agree. I think burning the use of rc4
> into the API is a mistake. We can simply have an API that puts out
> random numbers of particular sorts, and the implementation of one of
> them could (or might not be) rc4. Could we change this in that way?
We should have a good API for which arc4random() can be a crappy-api-wrapper
(not only is the name stupid, but how it returns data is also stupid; it
should just put a pseudo-random data stream into a caller-provided buffer,
rather than returning a 32-bit value).
Now, I am not a cryptographer, but, ss far as I'm concerned, it matters
not if the arc4random() API returns data from an RC4-based generator ...
as long as it returns random data that is at least as good as an RC4-based
-- Jason R. Thorpe <firstname.lastname@example.org>