[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[dnsext] Re: Is rfc3110 correct?

Subject: [dnsext] Re: Is rfc3110 correct?
From: Mark Andrews <marka@isc.org>
Date: Sat, 24 Oct 2009 19:23:02 +1100
Cc: namedroppers@ops.ietf.org
In-reply-to: Your message of "Sat, 24 Oct 2009 19:11:08 +1100."

Mark Andrews writes:
> 
> 	This looks like is should be PKCS1 type 1 padding but that
> 	starts with 00.
> 
> % grep signature rfc2537.txt rfc3110.txt | grep FF
> rfc2537.txt:     signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod
>  n)
> rfc3110.txt:         signature = ( 01 | FF* | 00 | prefix | hash ) ** e (mod 
> n)
> % 

	Dont' worry,  rfc3110 in size of n - 1 and rfc2537 is size of n
	so both have the same prefix.  We shouldn't flip back and forth
	is style howeve.
 
> 	draft-ietf-dnsext-dnssec-rsasha256-14 looks ok.
> 
> % grep signature draft-ietf-dnsext-dnssec-rsasha256-14.txt | grep FF
>    signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n)
> % 
> 
> 	I noticed this as rsasha256 and rsasha512 is not supported
> 	by OpenSSL 0.9.7 and to one had to use something more
> 	primative than RSA_sign().
> 
> 	Matk
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

Prev by Date: [dnsext] Is rfc3110 correct?
Next by Date: [dnsext] Trust Anchors
Previous by thread: [dnsext] Is rfc3110 correct?
Next by thread: [dnsext] Trust Anchors
Index(es):
- Date
- Thread