Dear Rich --
ENCRYPTED OCTET STRING } -- signature
Jeff Thompson's comments concern the interpretation of the ENCRYPTED
macro. The literal interpretation of X.509 is that:
(i) the quantity to be signed is encoded in DER;
(ii) the DER-encoded quantity is digested with a message digest algorithm;
(iii) the message digest is encoded as an OCTET STRING in DER;
(iv) the DER-encoded OCTET STRING is encrypted with the signer's key.
In the case of X.509 rsa, this means literally that the integer input
to RSA encryption has the form
04 10 || digest
assuming a 16-byte digest, such as MD5. (X.509 does allow the OCTET
STRING value to identify the message-digest algorithm.)
PKCS #1's signature algorithms avoid the intermediate OCTET STRING
encoding by effectively redefining RSA encryption to remove the 04 10
prefix and put some other bits there. PKCS #1 does this implicitly,
taking "algorithmic license" to override the literal X.509 statements.
Summarizing, Jeff's point is that PKCS #1 doesn't follow X.509
literally, but it remains compatible with what X.509 expects, and
therefore the comments in RFC 1114 about ambiguity are not relevant.
-- Burt Kaliski