Once more referring to 2440bis-12...
The sections on calculating signatures are really confusing. I can't
currently suggest alternate text for most of it because its far from
clear to me what the actual algorithms are. If someone explains, I'll do
my best to write clarifying text.
Firstly:
5.2.2 says:
The signature calculation is based on a hash of the signed data, as
described above.
Until I wrote this email, I though this sentence meant the signature
calculation was described above. I've just realised it means that the
hash is described above. I suggest instead:
The signature calculation is based on the hash of the signed data
described above.
Though since the hash is described much more usefully in 5.2.4, perhaps
it should simply refer to that instead?
It then goes on to say:
The details of the calculation are different for
DSA signature than for RSA signatures.
The hash h is PKCS-1 padded exactly the same way as for the above
described RSA signatures.
For the life of me, I can't see an "above described RSA signature" -
where is that? PKCS-1 is mentioned before, but for encryption, not signing.
It then goes on to describe truly revolting nastiness about PKCS-1
(shouldn't that be written PKCS#1, incidentally?) for doing RSA
signatures, but never, as far as I can see, says how to do a DSA
signature. From experiment, it seems to me that a DSA signature is done
directly on the hash, without any manipulation at all. Correct?
Then in 5.2.3:
The algorithms for converting the hash function result to a
signature are described in a section below.
Firstly, it would be much more friendly to say _which_ section below,
rather than leaving the reader to guess. I'd fill that in if I could
find the section, but I can't. The nearest I can get is 5.2.4, which says:
After all this has been hashed in a single hash context the
resulting hash field is used in the signature algorithm, and placed
at the end of the signature packet.
And that appears to be it, as far as signature algorithms are concerned.
Reading between the lines, I'm assuming that what this really means is
that the algorithms used are exactly what I'd expect, i.e. DSA directly
on the hash, and RSA with PKCS#1 padding and the, err, other stuff. But
references to further descriptions that I can't find leave me in doubt!
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff