ianG <i...@iang.org> writes: >Could OAEP be considered reasonable for signatures?
You need to define "appropriate". For example if you mean "interoperable" then OAEP isn't even appropriate for encryption, let alone signatures. If you're worried about timing channels then OAEP is also pretty inappropriate for any use. PKCS #1 OTOH will interop with pretty much anything, and you can do the padding check in close enough to constant time that it doesn't matter. Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
