指定消息验证器字段的documentation令人困惑：

5.14.  Message-Authenticator

  Earlier drafts of this memo used "Signature" as the name of this
  attribute, but Message-Authenticator is more precise.

String

  When present in an Access-Request packet, Message-Authenticator is
  an HMAC-MD5 [9] checksum of the entire Access-Request packet,
  including Type, ID, Length and authenticator, using the shared
  secret as the key, as follows.

  Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
  Request Authenticator, Attributes)

  When the checksum is calculated the signature string should be
  considered to be sixteen octets of zero.

  For Access-Challenge, Access-Accept, and Access-Reject packets,
  the Message-Authenticator is calculated as follows, using the
  Request-Authenticator from the Access-Request this packet is in
  reply to:

  Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
  Request Authenticator, Attributes)

  When the checksum is calculated the signature string should be
  considered to be sixteen octets of zero.  The shared secret is
  used as the key for the HMAC-MD5 hash.  The is calculated and
  inserted in the packet before the Response Authenticator is
  calculated.

引用：

消息验证器此时显然不能是属性，因为尚未计算它。在

  When the checksum is calculated the signature string should be
  considered to be sixteen octets of zero.

它说“签名”是指什么？这是说在属性中添加消息验证器，并将其值设置为16个零，以计算消息验证器，然后替换该值？？？在