Merge branch 'arti_1221' into 'main'

rend-spec: Note that the subject key in enc-key-cert always has sign=0.

See merge request tpo/core/torspec!240

1 files changed, 12 insertions, 2 deletions

diff --git a/spec/rend-spec/hsdesc-encrypt.md b/spec/rend-spec/hsdesc-encrypt.md
index f267dcb..3e91172 100644
--- a/spec/rend-spec/hsdesc-encrypt.md
+++ b/spec/rend-spec/hsdesc-encrypt.md
@@ -391,10 +391,15 @@ Followed by zero or more introduction points as follows (see section
           signing key.
 
           For "ntor" keys, certificate is a proposal 220 certificate
-          wrapped in "-----BEGIN ED25519 CERT-----" armor.  The subject
+          wrapped in "-----BEGIN ED25519 CERT-----" armor.
+
+          The subject
           key is the the ed25519 equivalent of a curve25519 public
           encryption key (`KP_hss_ntor`), with the ed25519 key
-          derived using the process in proposal 228 appendix A.  The
+          derived using the process in proposal 228 appendix A,
+          and its sign bit set to zero.
+
+          The
           signing key is the descriptor signing key (`KP_hs_desc_sign`).
           The certificate type must be [0B], and the signing-key
           extension is mandatory.
@@ -406,6 +411,11 @@ Followed by zero or more introduction points as follows (see section
           encryption key `KP_hss_ntor` is already available from
           the `enc-key` entry.
 
+          ALSO NOTE: Setting the sign bit of the subject key
+          to zero makes the subjected unusable for verification;
+          this is also a mistake preserved for compatiblility with
+          C tor.
+
         "legacy-key" NL key NL
 
           [None or at most once per introduction point]