[rfc-i] Signing RFCs
johnl at taugh.com
Tue Jun 28 14:42:13 PDT 2011
>Comodo donated the certificate to the IETF for the Internet-Draft
>signing. Comodo has offered to donate the certificates for the RFC
>Publisher to digitally sign RFCs in the same manner. I suggest we
>take them up on the offer.
It seems like a reasonable idea.
Do we (for some value of we) assert that the signature means anything
beyond "this is the same file that the RFC Publisher signed"? In
particular, does it assert that the signed document is an
authoritative copy of an RFC? What promises do we make to people who
rely on the assertions? I realize these are nitpicky legalistic
questions, but the whole point of signatures is to make stronger
assertions than you could merely by providing an unsigned file.
The signing cert expires in 2029. I realize that's 18 years from now,
but sometime around 2025 re-signing should be on someone's to-do list.
Question to which there is probably an answer I could have looked up:
what's the advantage of signing each document individually, as opposed
to signing a single file of SHA-256 hashes? The latter is a lot
quicker to verify if you're looking at more than one file.
More information about the rfc-interest