prop224: Minor fixes to descriptor format

1 files changed, 7 insertions, 5 deletions

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index f7a4304..78b2071 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -942,11 +942,14 @@ Status: Draft
    The encrypted part of the hidden service descriptor is encrypted and
    authenticated with symmetric keys generated as follows:
 
-       salt = 16 random bytes, different for each post to each replica,
+       SALT = 16 bytes from H(random), different for each post to each replica,
               even if the content of the descriptor hasn't changed.
               (This avoids leaking service stability, and linking replicas
               via encrypted data comparison.)
 
+       (We hash salt so that we don't leak the raw bytes returned by a PRNG
+       to the network. See [RANDOM-REFS].)
+
        [ XX/teor - is the extra load on the HSDirs worth it? ]
 
        secret_input = blinded_public_key(replica-keynum) |
@@ -960,13 +963,10 @@ Status: Draft
 
    The encrypted data has the format:
 
-       H(SALT)    H(random bytes from above)      [16 bytes]
+       SALT       hashed random bytes from above  [16 bytes]
        ENCRYPTED  The plaintext encrypted with S  [variable]
        MAC        MAC of both above fields        [32 bytes]
 
-   (We hash salt so that we don't leak the raw bytes returned by a PRNG
-   to the network. See [RANDOM-REFS].)
-
    The encryption format is ENCRYPTED =
                STREAM(SECRET_IV,SECRET_KEY) xor Plaintext
 
@@ -1040,6 +1040,8 @@ Status: Draft
 
         [TODO: I'd like to have a cross-certification here too.]
 
+   To remain compatible with future revisions to the descriptor format,
+   clients should ignore unrecognized lines in the descriptor.
    Other encryption and authentication key formats are allowed; clients
    should ignore ones they do not recognize.