If the variable size increase is only a few bytes, then three possibilities arise:

- one should allow signatures to be zero padded (to reach the maximum size) and abandon strict DER encoding

- one should allow spare witness stack elements (to pad the size to match the maximum size) and remove the cleanstack rule. But this is tricky because empty stack elements must be counted as 1 byte.

- signers must loop the generation of signatures until the signature generated is of its maximum size.

On Fri, Sep 22, 2017 at 6:39 PM, Mark Friedenbach <mark@friedenbach.org> wrote:

You generally know the witness size to within a few bytes right before signing. Why would you not? You know the size of ECDSA signatures. You can be told the size of a hash preimage by the other party. It takes some contriving to come up with a scheme where one party has variable-length signatures of their chosing

> On Sep 22, 2017, at 2:32 PM, Sergio Demian Lerner <sergio.d.lerner@gmail.com> wrote:
>
> But generally before one signs a transaction one does not know the signature size (which may be variable). One can only estimate the maximum size.