[rfc-i] digital signatures in documents
housley at vigilsec.com
Sat Sep 29 09:23:03 PDT 2012
On Sep 29, 2012, at 12:05 PM, Dave Crocker wrote:
> On 9/29/2012 8:46 AM, Russ Housley wrote:
>> I support digital signatures on RFCs, but like I-Ds, I think that detached signature are a better approach. See http://www.ietf.org/id-info/idsignatures.html.
> Storing it in one place does not automatically preclude storing it in another, such as attached to the document, unless the storage method is integral to the security model. (Note, for example, that server validation in an SSL connection "stores" the validation inline, sort of.)
> The normal argument for using a detached mode is the independent retrieval channel is trusted. Hence, explicit certs aren't used. This is like looking in the DNS for a key associated with a domain. Is that why you prefer detached?
There is not an independent trusted retrieval channel for the detached signature file. The motivation for a detached signature is quite straightforward; it is used so that the I-D can be processed by all of the software that one has always used. One does not need to remove a signature wrapper to get to the I-D content. Signature validation is a new feature, and it works by fetching the file that contains the detached signature and the necessary certificates. These certificates are referenced on the web page I cited.
More information about the rfc-interest