factual error in the DSIG description in the OT spec.

[Martin Hosken]

Sorry if this has already made it to the lists.

Dear All,

> > I'd like to ask all interested parties to express their views on  
> > the DSIG table functionality and share their experiences (either  
> > negative or positive) with using it.
> 
> I believe that the major issue many people have with the DSIG table  
> is the lack of tools available to incorporate it into production  
> routines. If more tools were available, on a wider range of  
> platforms, then I'd expect that many of the problems that people see  
> would disappear – even if those tools were, dare I say it, Unix- 
> based, command line apps.
> 

DSIG is lacking a reference implementation. Looong ago (over 10 years), I tried to write code that would check a signature. Forget all the signing aspects. I just wanted to see if I could come up with the same content digest. I couldn't. I tried a few times and gave up. I notice that there is only one closed source implementation that claims to generate a valid DSIG table that is checked by the same code. I suspect that that implementation and the specification do not align. Either that or I messed it up. Either way I have yet to see anyone other than MS produce a valid content digest from independent code without sight of MS's implementation.

Could someone give some tested reference code that creates an unsigned content digest? If that happened perhaps we could then say that the DSIG table is actionable rather than failed.

Yours,
Martin