Should Finalize output msg_prime?

[smhendrickson]

When writing a Token Verification procedure Ghous and I noted that an implementer must create the authenticator input exactly as described by the msg_prime creation:

1. msg_prime = concat("msg", int_to_bytes(len(metadata), 4), metadata, msg)

For example, this is an excerpt from public metadata issuance:

token_authenticator_input =  concat("msg",
    int_to_bytes(len(Token.metadata), 4),
    Token.metadata,
    token_input)
valid = RSASSA-PSS-VERIFY(pkM,
                          token_authenticator_input,
                          Token.authenticator)

Should we instead have the Finalize method output msg_prime so it can be forwarded directly to the Verifier without reconstruction?

[chris-wood]

This is a good idea. In the RSABSSA spec, the protocol outputs the "prepared message" (the thing signed) as well as the signature. We should do the same thing here. I don't think it needs to be an explicit output of Finalize, but rather something that client implementations can choose to provide to callers as needed.