> rnd(4) seems a bit schizophrenic about whether it trusts things like
  > hash functions or not.

  How so, other than the estimator? (which is hopelessly bogus, but
  at least can't be any less paranoid than a user asking for /dev/random
  data).

Basically, I was commenting on the notion of having 'full entropy'
bits as the prime commodity via /dev/random, v.s. second-class bits
from /dev/urandom.  If the seed has enough entropy, and the hash
construction and the hash are sound, then the multiple outputs should
all be unguessable and independent.  Being deeply worried about having
full-entropy bits (which Yarrow is not) to me indicates a distrust of
the hash function.  But, rnd depends critically on using the hash
function for mixing in bits.

-- 
        Greg Troxel <gdt@ir.bbn.com>