tor-spec patch from adam langley

svn:r4439

doc/tor-spec.txt

@@ -31,8 +31,9 @@ TODO: (very soon)
 
    Unless otherwise specified, all symmetric ciphers are AES in counter
    mode, with an IV of all 0 bytes.  Asymmetric ciphers are either RSA
-   with 1024-bit keys and exponents of 65537, or DH with the safe prime
+   with 1024-bit keys and exponents of 65537, or DH where the generator
-   from rfc2409, section 6.2, whose hex representation is:
+   is 2 and the modulus is the safe prime from rfc2409, section 6.2,
+   whose hex representation is:
 
      "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
      "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
@@ -43,7 +44,7 @@ TODO: (very soon)
    All "hashes" are 20-byte SHA1 cryptographic digests.
 
    When we refer to "the hash of a public key", we mean the SHA1 hash of the
-   ASN.1 encoding of an RSA public key (as specified in PKCS.1).
+   DER encoding of an ASN.1 RSA public key (as specified in PKCS.1).
 
 1. System overview
 
@@ -71,9 +72,9 @@ TODO: (very soon)
    least 128 bits, and digests of at least 160 bits.
 
    An OP or OR always sends a two-certificate chain, consisting of a
-   self-signed certificate containing the OR's identity key, and a second
+   certificate using a short-term connection key and a second, self-
-   certificate using a short-term connection key.  The commonName of the
+   signed certificate containing the OR's identity key. The commonName of the
-   second certificate is the OR's nickname, and the commonName of the first
+   first certificate is the OR's nickname, and the commonName of the second
    certificate is the OR's nickname, followed by a space and the string
    "<identity>".
 
@@ -164,13 +165,14 @@ TODO: (very soon)
    The payload for a CREATE cell is an 'onion skin', which consists
    of the first step of the DH handshake data (also known as g^x).
 
-   The data is encrypted to Bob's PK as follows: Suppose Bob's PK is
+   The data is encrypted to Bob's PK as follows: Suppose Bob's PK
-   L octets long.  If the data to be encrypted is shorter than L-42,
+   modulus is L octets long. If the data to be encrypted is shorter
-   then it is encrypted directly (with OAEP padding).  If the data is at
+   than L-42, then it is encrypted directly (with OAEP padding: see
-   least as long as L-42, then a randomly generated 16-byte symmetric
+   ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf). If the
-   key is prepended to the data, after which the first L-16-42 bytes
+   data is at least as long as L-42, then a randomly generated 16-byte
-   of the data are encrypted with Bob's PK; and the rest of the data is
+   symmetric key is prepended to the data, after which the first L-16-42
-   encrypted with the symmetric key.
+   bytes of the data are encrypted with Bob's PK; and the rest of the
+   data is encrypted with the symmetric key.
 
    So in this case, the onion skin on the wire looks like:
        RSA-encrypted:
@@ -265,7 +267,7 @@ TODO: (very soon)
          router's exit policy does not exclude all pending streams
          that need a circuit.
 
-      2. Choose a chain of (N-1) chain of N onion routers
+      2. Choose a chain of (N-1) onion routers
          (R_1...R_N-1) to constitute the path, such that no router
          appears in the path twice.