[rfc-i] digital signatures in documents
hallam at gmail.com
Sat Sep 29 09:43:13 PDT 2012
On Sat, Sep 29, 2012 at 12:23 PM, Russ Housley <housley at vigilsec.com> wrote:
> On Sep 29, 2012, at 12:05 PM, Dave Crocker wrote:
> > On 9/29/2012 8:46 AM, Russ Housley wrote:
> >> I support digital signatures on RFCs, but like I-Ds, I think that
> detached signature are a better approach. See
> > Storing it in one place does not automatically preclude storing it in
> another, such as attached to the document, unless the storage method is
> integral to the security model. (Note, for example, that server validation
> in an SSL connection "stores" the validation inline, sort of.)
> > The normal argument for using a detached mode is the independent
> retrieval channel is trusted. Hence, explicit certs aren't used. This is
> like looking in the DNS for a key associated with a domain. Is that why
> you prefer detached?
> There is not an independent trusted retrieval channel for the detached
> signature file. The motivation for a detached signature is quite
> straightforward; it is used so that the I-D can be processed by all of the
> software that one has always used. One does not need to remove a signature
> wrapper to get to the I-D content. Signature validation is a new feature,
> and it works by fetching the file that contains the detached signature and
> the necessary certificates. These certificates are referenced on the web
> page I cited.
These are issues that can be addressed, IF we are making tweaks to XML2RFC
format or adopting an HTML based format.
The XML Signature can be packed inside the signed content. So as far as the
signature is concerned the signed content would be:
But the circulated document would have:
[XML DIG SIG STUFF]
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the rfc-interest