I have submited -03 which adds a MUST check for the all-zero secret, and clarifies the mpint conversion further -- a reference to section 5 of RFC 4251 is added which explains this properly. Unfortunately, 4251§5 doesn't say that mpint's are prepended by an uint32 with the length of the data (or the example is wrong). Please holler if implementations do not have the uint32 in the mpint that is hashed, or generally if you believe the new section 2.1 could be clarified further. https://tools.ietf.org/html/draft-josefsson-ssh-curves-03 /Simon
Attachment:
signature.asc
Description: PGP signature