Shepherd writeup

Technical Summary:

   Randomness is a crucial ingredient for TLS and related security
   protocols.  Weak or predictable "cryptographically-strong"
   pseudorandom number generators (CSPRNGs) can be abused or exploited
   for malicious purposes.  The Dual EC random number backdoor and
   Debian bugs are relevant examples of this problem.  An initial
   entropy source that seeds a CSPRNG might be weak or broken as well,
   which can also lead to critical and systemic security problems.  This
   document describes a way for security protocol participants to
   augment their CSPRNGs using long-term private keys.  This improves
   randomness from broken or otherwise subverted CSPRNGs.

Research Group Summary:

   The document was actively reviewed in CFRG and was presented
   at several face-to-face meetings. Comments were constructive
   but not particularly controversial. The document represents
   consensus of CFRG.

   There was a proposal to extend the document to cover constraint
   IOT cases, but CFRG decision was to do this work in a separate

   The document conforms to requirements from RFC 5743.

Document Quality:

  Interest in this work has been expressed by multiple parties
  at various points in time. In particular Apple, Cloudflare,
  and recently, the LAKE WG.

  There are at least two implementations in BoringSSL:
  one of which is public, the other is not. 


   Alexey Melnikov is the document shepherd.
   Colin Perkins is the responsible IRTF Chair.