Ben Laurie writes:
This is true, as I said elsewhere - but the I-D does not refer to the
place where you are told this.
Yes, perhaps section 8.1 of RFC 2437 would be a better place to link to.
Although that describes more than just padding...
As an incidental cryptographic query - it seems to me that merely not
having the top bit set should be sufficient to ensure that the MSB is
not too large, so it isn't clear to me (given that the first byte is 1)
why an extra byte of padding is deemed necessary. Did I miss something?
If the modulus started off 0x01 0x00... then padding as 0x01 0xFF...
would not be guaranteed to be smaller than the modulus.
Also, there are two padding versions, one with a type of 0x01 for
signatures, and one with a type of 0x02 for encryption, and the 0x02
version would be even more problematic if the 2 were put into the MSByte.
Making an MSB of zero solves both problems.
They could have done it bit-oriented and pushed the 1/2 type information
a few bits further to the left, but byte-oriented padding is generally
simpler to implement.
Hal