[rfc-i] Signing RFCs

Paul Hoffman paul.hoffman at vpnc.org
Tue Jun 28 17:33:24 PDT 2011

On Jun 28, 2011, at 5:15 PM, John R Levine wrote:

>> Periodically, we receive a subpoena to validate various RFCs.  My hope is that digital signature can be used instead of a manual process.
> I'm not sure how that follows.  You get a subpoena that says something like "what is RFC 1234?" to which I presume someone responds with a letter saying "this is RFC 1234" and an attached printout, perhaps all delivered as a PDF for easy filing.  I don't see many courts being satisfied with a response that directs them to some crypto gobbledygook instead.

Having been subjected to a deposition (literally today) on a similar topic ("did you really and truly see something that looked like this on that web site on or before September 28, 1996"), I unfortunately believe that John is right. I cannot imagine that digitally signing documents will assuage anyone in any court. If one side of a dispute wants to be a butthead and force a deposition on something completely obvious, they can do so in the United States; I believe that is true in many other parts of the world.

Simply having the RFC Editor's web site also available over HTTPS chained to a well-known CA will be far more likely to reduce subpoenas than using a technology that we (well, a small part of us) understands but the legal system doesn't.

> This isn't to say that signing has no benefits, but this doesn't strike me as a likely one.

"Eating our own dogfood" is probably a benefit worth the cost of signing. Trying to find a different CA who will sign the RFC Editor's key is also good dogfood.

--Paul Hoffman

More information about the rfc-interest mailing list