- From: Alan Freier <freier@netscape.com>
- Date: Thu, 25 Apr 1996 10:23:54 -0700
- To: ietf-tls@w3.org
There seems to be divergence from the issue here. SSL 3.0 never intended time to be a source of randomness. In a more perfect world, those four bytes would be absolutely predictable. It is only the imperfections of the current OSs and networks that make it not so. During the development of the SSL 3.0 specification, it was observed that 28 bytes would be sufficient as a random value for the purpose at hand, and that is still believed that to be true. The extra four bytes, from SSL's point of view, are simply carried along as a convenience to its clients, though SSL purposely does not indicate what the client might do with the information. To the best of my knowledge, adding 4 predictable bytes to 28 (nearly) unpredictable bytes leaves you with 28 (nearly) unpredictable bytes. If someone believes that 28 bytes is not sufficient, then that would be an issue. I haven't heard anybody making such a claim. -- Alan O. Freier Corporate Cynic <freier@netscape.com> (415) 937-3638 (work)
Received on Thursday, 25 April 1996 13:23:59 UTC