[rfc-i] Signing RFCs

Olaf Kolkman olaf at NLnetLabs.nl
Fri Jul 1 00:41:43 PDT 2011


On Jun 29, 2011, at 5:50 PM, Russ Housley wrote:

> Olaf:
> 
>>>> Sorry, I have to be pedantic (its one of those days) but I hope you mean that the certificates are donated to the 'RFC Editor'. I understand that the actual work happens at the publisher.
>>> 
>>> I am not sure what you are driving at here.  I would expect the certificate to name the RFC Publisher in the subject name, but include rfc-editor at rrfc-editor.org as the email address.
>> 
>> What I am getting at is that this is an RFC Editor function (the 'entity', not the persons or the function).
>> 
>> Putting the RFC Publisher's name in a certificates that is supposed to identify the entity IMHO not the right thing to do.
> 
> I see that I was writing in a hurry, and I was very unclear.
> 
> The IETF Secretariat has two certificates for Internet-Draft signing.  the private keys are stored in small hardware tokens, and one is on the East Coast and the other is on the West Coast to ensure continuity of operations.  I think the same approach is appropriate for the RFC Editor.
> 
> Comodo can only issue certificates to legal entities.  So, for the IETF Secretariat, the certificates were issued to the IETF Trust.  I think the same approach is appropriate for the RFC Editor.
> 
> I would suggest this naming structure:
> 
> countryName = 'US'
> stateOrProvinceName = 'Virginia'
> localityName = 'Reston'
> organizationName = 'IETF Trust'
> organizationalUnitName = 'RFC Publisher East' or 'RFC Publisher West'
> commonName = 'RFC Publisher'
> emailAddress = 'rfc-editor at rfc-editor.org'




I believe it was me that might have been unclear.

What I am trying to get at is that we should treat the RFC Editor as one single entity and that to external parties you do not want to expose the details of an RSE, a publisher, and a production house functions. We should be talking about the "RFC Editor" 

That the RFC Editor does not have its own legal entity is a bit of a bummer but also a fact of life. So that the organizationName needs to be the IETF trust is something that we live with.

Pragmatically:

> countryName = 'US'
> stateOrProvinceName = 'Virginia'
> localityName = 'Reston'
> organizationName = 'IETF Trust'
> organizationalUnitName = 'RFC Editor East' or 'RFC Editor West'
> commonName = 'RFC Editor'
> emailAddress = 'rfc-editor at rfc-editor.org'



________________________________________________________ 

Olaf M. Kolkman                        NLnet Labs
http://www.nlnetlabs.nl/











     



More information about the rfc-interest mailing list