[rfc-i] Signing RFCs
John R Levine
johnl at taugh.com
Wed Jun 29 07:59:35 PDT 2011
> The subpoena includes several reams of paper. RFCs are printed, and the court wants you to validate that the pages contain the RFC as published on such and such a date. The lawyers have already found the RFC, they want someone else to confirm the content of the file that they already have. That is exactly the right thing for the crypto gobbledygook to do.
Yuck. It is not your job to look through their printout to see if some
sleazy lawyer tried to change a few critical words on page 147. (At least
not unless they are paying a consulting rate of several hundred dollars an
hour.)
If I got one of those, I would print off the RFCs and send the printout
back along with a cover letter saying "these are true copies of RFC 1234
and 5678." If I were feeling generous I might give them URLs and the MD5
and SHA-256 hashes of the files I printed.
But the important fact is that the court wants YOUR signature on the
letter, not Comodo's signature on some files somewhere.
As I said before, there may well be value to PKI signatures, but at the
moment the value mostly seems to be to detect accidental or deliberate
tampering. You could do that a lot easier by publishing a file of hashes
on an SSL website.
Regards,
John Levine, johnl at taugh.com, Taughannock Networks, Trumansburg NY
"I dropped the toothpaste", said Tom, crestfallenly.
More information about the rfc-interest
mailing list