[rfc-i] digital signatures in documents

Martin Rex mrex at sap.com
Fri Sep 28 15:34:18 PDT 2012


Phillip Hallam-Baker wrote:
>
> Paul Hoffman <paul.hoffman at vpnc.org>wrote:
>> 
>> Phillip Hallam-Baker <hallam at gmail.com> wrote:
>>>
>>> What I very much would like to see however is the electronic signatures
>>> be embedded in the document.
>>>
>> A big -1 to that. They add no value to 99.999% of people reading an RFC,
>> and some software will mark RFCs that have inconsequential bits flipped as
>> "invalid" or "dangerous" or some such.

storing digital signatures within the document would open the largest
can of worms that exists.   Whoever wants signature can use whatever
credentials he wants, create the signatures detached and store&manage
tham in whichever way he likes.  It would be a terribly bad idea to
harass document authors and document readers with this.


I have EMail archives that go back for 2 decades.  During the last
8 years there are occasional S/Mime singed messages in between, but
what ALL S/Mime messages that are 1year+ old have in common, is that the
signature verification fails.


The obvious problem whenever your get your hands dirty with X.509
is "revocation", "expiration", "timestamping", and this will make
things REALLY complicated.


Simply having the IETF website publish a digitally singed document
with hashes (fingerprints) of the RFCs and I-D would be perfectly
sufficient, and the document can be regularly re-created and
newly signed, obviating revocation & timestamping for many usage
scenarios.


-Martin


More information about the rfc-interest mailing list