[rfc-i] fun with electronic signatures

John Levine johnl at taugh.com
Wed Jun 29 16:59:15 PDT 2011


>Given the current digital signature law, it is my understanding that
>the need for the subpoena can be eliminated.  That said, the is no
>way to test this theory without signing the documents.

Having done more than my share of expert witness work, I would be
pretty surprised if that were so.  As I think I've said before,
there's no reason not to go ahead and publish PKI signatures on RFCs,
but other than the eat-your-dogfood aspect I don't see much practical
benefit.

It would be nice if there were a way for people with expertise in the
field who are not the IETF (me, for example) to declare in a manner
that would persuade a court that a copy of an RFC was authentic.  The
PKI signatures don't do that.  Imagine I'm on the stand:

 How do you know this file is the real RFC?

 There's a dated signature file that validates and the signature is
 signed by an English company called Comodo.

 How do you know it validates?

 I used this program called OpenSSL 1.0.

 Did you write that program?

 Uh, no, but I hear the guys who did are fine fellows.

 Did you check it with any other program?

 Uh. no, I don't have any other program that checks detatched S/MIME
 signatures.

 How do you know the date is real? Could they have changed the
 file and retroactively re-signed it?

 Well, they said they wouldn't do that.

etc.

On the other hand, if every month or every year you published lists of
MD5 or SHA256 hashes of the RFCs in a way that would get archived in
lots of places, preferably including on paper, then it would be a
snap. I could say I calculated the hashes using two or three separate
implementations of MD5 or SHA256, and I visually compared the hashes
to see that they matched the printout that was handed out at an IETF
meeting shortly after the RFC was published.  A clever lawyer will ask
what about preimage attacks on MD5, but that's what an expert is for,
to explain that it may be possible to find two files with the same
hash, but they're not both going to be files that look like RFCs.

So anyway, there's no reason not to do the PKI signatures, but if you
want to make it easier to verify an RFC without having to subpoena the
IETF, publish hashes.

R's,
John



 


More information about the rfc-interest mailing list