Re: draft-harris-ssh-rsa-kex-01.txt

[nisse%lysator.liu.se@localhost (Niels Möller)]

[ This is a repost, by mistake I first replied only to Ben Harris, not
  to the list. ]

Ben Harris <bjh21%bjh21.me.uk@localhost> writes:

> In article <200504030127.UAA27141%Sparkle.Rodents.Montreal.QC.CA@localhost> you write:
> >   Note that the encoding of the encrypted secret is similar to the
> >   "mpint" encoding of the raw RSA encryption result, but differs in
> >   its handling of high-order 0 bits.  The packet contains the octet
> >   sequence as a "string", not the raw RSA output as an "mpint".
> >
> >(Assuming of course that that's what is intended; if not, the wording
> >needs even mroe work.)
> 
> That is the intention, yes, and I agree that it would probably be best to
> make this difference explicit.

I don't quite like the old choice of the "string" type for
rsa_signature_blob (and dss_signature_blob) instead of mpint, although
I understand it may make the interface to off-the-shelf RSA libraries
a little easier.

At a first look, it seems like you're introducing yet another
almost-mpint representation for one particular bignum in the protocol,
which at least to me appears as a very bad idea; my gut reaction was
the same as Peter's.

If you want to do it this way, it's easier to accept if you make clear
that you're really using the same representation as for
rsa_signature_blob (at least I hope you *are* using the same
representation, but I haven't looked into this in sufficient detail
yet).

Regards,
/Niels