[rfc-i] digital signatures in documents
dhc at dcrocker.net
Sat Sep 29 09:36:15 PDT 2012
On 9/29/2012 9:23 AM, Russ Housley wrote:
> There is not an independent trusted retrieval channel for the
> detached signature file. The motivation for a detached signature is
> quite straightforward; it is used so that the I-D can be processed
> by all of the software that one has always used. One does not need
> to remove a signature wrapper to get to the I-D content. Signature
> validation is a new feature, and it works by fetching the file that
> contains the detached signature and the necessary certificates. These
> certificates are referenced on the web page I cited.
Wrapping is a form of signature attachment used by OpenPGP and S/MIME,
but not (for example) DKIM, which places the signature information into
a field that can be ignored.
This is identical to the 'metadata' method being discussed on this thread.
It has the specific advantage of not getting in the way, for readers not
interested or able to process the signature.
Hence rather than a benefit, the detached file adds the hassle of a
separate retrieval and the need for correlation.
That doesn't mean the detached file method should be stopped, but it
also does not offer any benefit and doesn't preclude incorporating the
signature as metadata.
More information about the rfc-interest