Multiple ETYPE-INFO-ENTRY with same etype but different salts

[Greg Hudson]

On Mon, 2011-07-18 at 21:31 -0400, Weijun Wang wrote:
> >> 3. The other 2 entries have salt missing or empty, so the default salt
> >> should be used
> >
> > An empty salt is like any other explicit salt.  Do not use the default
> > salt if you see an empty one.

> ETYPE-INFO2 is:
> 
>   SEQUENCE
>       SEQUENCE
>           [0] INTEGER 1
>       SEQUENCE
>           [0] INTEGER 1
>           [1] STRING           ""
>       SEQUENCE
>           [0] INTEGER 1
>           [1] STRING           "UFL.EDU"
>           [2] OCTET STRING     0000: 01

Okay, so yes, in the actual scenario you'd probably use the default
salt, because the first entry (which is just as good as the other
entries) doesn't supply a salt.  That entry corresponds to the
des-cbc-md5:normal entry in supported_enctypes.

I just wanted to be clear that if, for whatever reason, the code decided
to go with an entry that looked like the second entry (which comes from
the des-cbc-crc:v4 entry in supported_enctypes), it would want to use a
zero-length salt rather than the default salt.