Re: FW: Re: rsa/oaep


      I wish to document my view that treating the default MGF as
MGF1(SHA-1) rather than MGF1(DigestMethod) is a mistake, although I appear
to have been outvoted.  The currently posted draft does not make clear
which interpretation is to be used ("using the mask generator function MGF1
specified in RFC 2437"), and the apparent reason for the defaulting in
PKCS#1 is that it is easiest to default values to a literal constant in
ASN.1.  There is no syntax defined in the draft by which the MGF1's digest
method can be specified, unlike in PKCS#1.  While Don is correct that there
are no reasons why the DigestMethod and the MGF1's digest method must
match, the reasons for increasing the range size of one apply almost
equally strongly to the other, and increases in the range size of a digest
method are IMO the principal reason for the use of an algorithm other than
SHA-1 in this context.
      Current implementations which use SHA-1 for both the DigestMethod and
the MGF's digest method would be unaffected by either interpretation.
Nobody has stated AFAIK that they have implemented anything other than
SHA-1 for either digest method.

            Tom Gindin

Joseph Reagle <> on 04/25/2002 04:16:26 PM

Please respond to

Sent by:

To:    Donald Eastlake 3rd <>,
Subject:    Re: FW: Re: rsa/oaep

On Thursday 25 April 2002 00:40, Donald Eastlake 3rd wrote:
> Seems to me that we should stick with the current implemented URI for
> the currently implemented algorithm with the current parameters.

This sounds like the best bet to me. What we have does work, and it might
not be the best format for future parameters but that bridge can be crossed

when encountered. (A new identifier/namespace and all the parameters
desired can be proposed.) So I'm going to stick with the text I have now in

[1] and consider the issue closed unless someone wants to document their


 $Revision: 1.184 $ on $Date: 2002/04/17 13:17:07 $ GMT

Received on Friday, 26 April 2002 07:43:09 UTC