Hello WG, (Chris, can you add this as an issue?) I have found some doubt in myself about how to calc the hashes and signatures. And by rereading draft-12 I was not able to solve them.
So, I want to share my doubt, and give an (one of several) solutions. Also, I propose some "new text", to be included in the (draft) RFC I give this new text, so we can study it, (given the hints in this mail), and be sure the sign-RFC will be clear. Both the solution(s) and the proposed text is "as I think the WG has meant it to be", with 1 exception, That one (no 3) is marked. In short, some general questions/solutions: 1) A hash of a (normal) syslog-message is over the complete message, including field-separating spaces In [3.9] this isn't specified. While [3.10] says "excluding the spaces" when mentioning signatures. 2) The signature, both in a SignatureBlock and a CertificateBlock, is calculated over the hash of the message. Not over message itself In [3.10] and [4.3.8] this is vage. It say "the signature". In other code and in (the mentioned_ standards about signature-algorithms the signature is always calculated over a hash. 3) The hash, used for signing the SignatureBlock and the CertificateBlock, is calculated over all field excluding the signature-field, and excluding spaces direct before the signature-field. (the field separator). It includes the PRI-part, the HEADER-part and all MSG-part fields upto and including the HASHES c.q. fragment-length, including the spaces between them. NOTE: This is different from the proposed text. Which excludes all spaces that are fields-separators. That however is harder to implement, but adds no security or functionality. To implement "without sep-spaces", the code has to decided for each space whether it is a "used a space" of used as field separator. Doable, but complex. Also, it requires to algorithms to calculated a hash. One with "all chars", and one "skipping spaces". As said, needless. Note: the references above [x.y] are section-number in draft-12 Text to be included: """ Calculating Hashes and Signatures Before a Signature or Certificate Block can be send, some cryptographic calculations needs to be done. Elsewhere in this document is specified which algorithms need to be used, and where to place the result. This section specifies the data used as input for those calculations For each device-message (not for relayed messages), a hash SHOULD be calculated. It is REQUIRED to use the complete message including PRI, HEADER and MSG parts as input for the hashing. Those hashes are transited, later, in a Signature Block. Both, the Signature Block and the Certificate Block contain a digital signature. Those signatures SHOULD be calculated over the HASH of the partially composed message. It is REQUIRED to calculate the HASH of all parts and all fields of the composing message, but the signature-field. Also, the separating space(s) direct before the signature-field NOT SHOULD be part of this calculation. After calculating the HASH and the SIGNATURE, a space and the SIGNATURE should appemded to the message. It is RECOMMENDED to send this message directly, as the timestamp will age. """ I think this can be included in chapter 5, as 5.1.*; where the existing text of chapter 5 become 5.2.* And the name of chapter 5 becomes "details" -- ALbert Mietus Send prive mail to: [EMAIL PROTECTED] Send business mail to: [EMAIL PROTECTED] Don't send spam mail!