[rfc-i] Signing RFCs

John R Levine johnl at taugh.com
Wed Jun 29 07:59:35 PDT 2011


> The subpoena includes several reams of paper.  RFCs are printed, and the court wants you to validate that the pages contain the RFC as published on such and such a date.  The lawyers have already found the RFC, they want someone else to confirm the content of the file that they already have.  That is exactly the right thing for the crypto gobbledygook to do.

Yuck. It is not your job to look through their printout to see if some 
sleazy lawyer tried to change a few critical words on page 147.  (At least 
not unless they are paying a consulting rate of several hundred dollars an 
hour.)

If I got one of those, I would print off the RFCs and send the printout 
back along with a cover letter saying "these are true copies of RFC 1234 
and 5678." If I were feeling generous I might give them URLs and the MD5 
and SHA-256 hashes of the files I printed.

But the important fact is that the court wants YOUR signature on the 
letter, not Comodo's signature on some files somewhere.

As I said before, there may well be value to PKI signatures, but at the 
moment the value mostly seems to be to detect accidental or deliberate 
tampering.  You could do that a lot easier by publishing a file of hashes 
on an SSL website.

Regards,
John Levine, johnl at taugh.com, Taughannock Networks, Trumansburg NY
"I dropped the toothpaste", said Tom, crestfallenly.


More information about the rfc-interest mailing list