Peter Gutmann wrote:
Ben Laurie <ben(_at_)algroup(_dot_)co(_dot_)uk> writes:
I have one less FF than I (think) I should have.
You don't count the FF's, you just continue along them until you find a non-
FF.
This is incorrect.
However, further research answers my own question and reveals a bug in
d-i-o-r-13. RFC 2437 specifies RSA signing in section 8.1.1 - and this
uses (for some reason, any idea why?) an EMSA-PKCS1-V1_5 encoding of
length k-1 (where k is the keylength in octets). I presume that OpenPGP
uses this algorithm. The I-D does not specify the length of the
encoding, which is a bug: it should either specify it is of length k-1
or refer to RFC 2437 8.1.1.
However, I'm still left with a question, since 2437 only specifies RSA
signatures. What lengths should be used with DSA and Elgamal?
Of course, since these will have to be specified, it would make more
sense to specify the length in the I-D than to refer to 2437 for it.
Cheers,
Ben.