[rfc-i] Signing RFCs
Russ Housley
housley at vigilsec.com
Tue Jun 28 15:20:04 PDT 2011
>> Comodo donated the certificate to the IETF for the Internet-Draft
>> signing. Comodo has offered to donate the certificates for the RFC
>> Publisher to digitally sign RFCs in the same manner. I suggest we
>> take them up on the offer.
>
>> Comments? Thoughts?
>
> It seems like a reasonable idea.
>
> Do we (for some value of we) assert that the signature means anything
> beyond "this is the same file that the RFC Publisher signed"? In
> particular, does it assert that the signed document is an
> authoritative copy of an RFC? What promises do we make to people who
> rely on the assertions? I realize these are nitpicky legalistic
> questions, but the whole point of signatures is to make stronger
> assertions than you could merely by providing an unsigned file.
>
> The signing cert expires in 2029. I realize that's 18 years from now,
> but sometime around 2025 re-signing should be on someone's to-do list.
>
> Question to which there is probably an answer I could have looked up:
> what's the advantage of signing each document individually, as opposed
> to signing a single file of SHA-256 hashes? The latter is a lot
> quicker to verify if you're looking at more than one file.
Periodically, we receive a subpoena to validate various RFCs. My hope is that digital signature can be used instead of a manual process.
Russ
More information about the rfc-interest
mailing list