[rfc-i] Signing RFCs

Russ Housley housley at vigilsec.com
Tue Jun 28 15:20:04 PDT 2011

>> Comodo donated the certificate to the IETF for the Internet-Draft
>> signing.  Comodo has offered to donate the certificates for the RFC
>> Publisher to digitally sign RFCs in the same manner.  I suggest we
>> take them up on the offer.
>> Comments?  Thoughts?
> It seems like a reasonable idea.
> Do we (for some value of we) assert that the signature means anything
> beyond "this is the same file that the RFC Publisher signed"?  In
> particular, does it assert that the signed document is an
> authoritative copy of an RFC? What promises do we make to people who
> rely on the assertions?  I realize these are nitpicky legalistic
> questions, but the whole point of signatures is to make stronger
> assertions than you could merely by providing an unsigned file.
> The signing cert expires in 2029.  I realize that's 18 years from now,
> but sometime around 2025 re-signing should be on someone's to-do list.
> Question to which there is probably an answer I could have looked up:
> what's the advantage of signing each document individually, as opposed
> to signing a single file of SHA-256 hashes?  The latter is a lot
> quicker to verify if you're looking at more than one file.

Periodically, we receive a subpoena to validate various RFCs.  My hope is that digital signature can be used instead of a manual process.


More information about the rfc-interest mailing list