protocol specification update: clarify DSA
first mentioned by Adam Langley https://lists.cypherpunks.ca/pipermail/otr-dev/2011-November/001230.html followup https://lists.cypherpunks.ca/pipermail/otr-dev/2014-October/002254.html
In Protocol-v2.html and Protocol-v3.html, it says:
"This is the signature, using the private part of the key pubB, of the 32-byte MB (which does not need to be hashed again to produce the signature)."
In http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf, section 4.6:
"z = the leftmost min(N, outlen) bits of Hash(M)"
Where outlen is the output length of the hash function (256 here) and N is the bit length of q (160 for OTR).
Proposed clarification (in both protocol drafts): This is the signature, using the private part of the key pubB, of the 32-byte MB (taken modulus q, not truncated (as described in FIPS-186), and not hashed again).
(from redmine: created on 2014-10-29, closed on 2014-12-18)