[rfc-i] Signing RFCs

Russ Housley housley at vigilsec.com
Wed Jun 29 08:50:42 PDT 2011


>>> Sorry, I have to be pedantic (its one of those days) but I hope you mean that the certificates are donated to the 'RFC Editor'. I understand that the actual work happens at the publisher.
>> I am not sure what you are driving at here.  I would expect the certificate to name the RFC Publisher in the subject name, but include rfc-editor at rrfc-editor.org as the email address.
> What I am getting at is that this is an RFC Editor function (the 'entity', not the persons or the function).
> Putting the RFC Publisher's name in a certificates that is supposed to identify the entity IMHO not the right thing to do.

I see that I was writing in a hurry, and I was very unclear.

The IETF Secretariat has two certificates for Internet-Draft signing.  the private keys are stored in small hardware tokens, and one is on the East Coast and the other is on the West Coast to ensure continuity of operations.  I think the same approach is appropriate for the RFC Editor.

Comodo can only issue certificates to legal entities.  So, for the IETF Secretariat, the certificates were issued to the IETF Trust.  I think the same approach is appropriate for the RFC Editor.

I would suggest this naming structure:

countryName = 'US'
stateOrProvinceName = 'Virginia'
localityName = 'Reston'
organizationName = 'IETF Trust'
organizationalUnitName = 'RFC Publisher East' or 'RFC Publisher West'
commonName = 'RFC Publisher'
emailAddress = 'rfc-editor at rfc-editor.org'


More information about the rfc-interest mailing list