[rfc-i] Signing RFCs
Kurt.Zeilenga at Isode.com
Wed Jun 29 09:54:16 PDT 2011
On Jun 29, 2011, at 9:13 AM, Bob Hinden wrote:
> On Jun 29, 2011, at 8:56 AM, Russ Housley wrote:
>>>> That said, the is no way to test this theory without signing the documents.
>>> I seriously doubt the digital signature laws will, for documents which are signed, will significantly reduces subpoenas for true copies of documents… as relying on a digital signature implies having an expert to testify to the validity of signature. It far easier to subpoena a true and accurate copy of a document from its publisher.
>>> Regardless, they will need to hire an expert to testify as to whether two purported copies of the same document are copies of the same document. The IETF, or any of its associated organizations, should not offer expert testimony.
>> Subpoenas do not have anything to do with things that we are offering.
>> So far, we have been able to have the RFC Editor (most recently Bob Braden) explain the processes used by the RFC Editor in order to provide confidence that the content of the file was unchanged from the date on the title page. So far, we have not had to go to court to do so. It would be great if the digital signature could eliminate this step too.
> I think signing RFCs would make this process easier (that is, easier for the RFC Editor to explain why the file is unchanged) and is worth doing. That in itself is a win. Also, after it is done a few times, a legal precedent may be set that will make it easier in the future. We won't know till it happens.
Using one's own digital signatures to validate that the storage of the RFC copies is secure is reasonable (under the assumption the signing key is well secured)…
I have no object to signing RFC, even if just for the hell of it.
I simply don't agree that they'll have a significant impact on the amount of work required by the IETF (and/or related organizations) to respond to subpoenas and other legal enquiries.
The best way to reduce the work is to limit your response to facts you know, not opinions you have or might be able to develop.
I have no problem with the RFC Editor, in response to a question about RFC XXX published on DATE Y, answering "Here's RFC XXX as published today" and simply not offering an opinion as to what was published on DATE Y. For all the RFC Editor knows, the server could have temporarily published something else on that date, digital signatures or not.
More information about the rfc-interest