Florian Weimer wrote:
Also, "RSA" isn't a single function because of the padding issue.
You need to specify PKCS#1 something or other. There's a normative
ref to RFC 3447 but nothing in the text.
By the way, dk-milter invokes OpenSSL with RSA_PKCS1_PADDING (whatever
that is). If a different algorithm is used, it shouldn't be called
"rsa-sha1", I guess.
(The description in the draft looks very much like unpadded hashed RSA
signatures, which have already been broken for this sort of
application.)
Right -- I agree with EKR on this one: we should just reference
the algorithm and not try to explain it. We were trying to get
this ironed out before the draft deadline but ran out of time.
And yes, we use RSA_PKCS1_PADDING.
Mike