Joe Hildebrand (jhildebr)
jhildebr at cisco.com
Wed Feb 24 12:57:14 PST 2016
Russ, Robert and I just had a quick chat about this. Note that this is not an IAB opinion, just three individuals. What we discussed:
1- draft-iab-rfc-use-of-pdf, section 3.3 should remove its recommendation about signing I-Ds. The use case we're worried about is someone submitting both a .txt and a .pdf containing a signature to the automated tools. If the tools have to replace the existing author signature with one from the secretariat, the tools are going to be somewhat complex, and the document will change while it is in the repository, which is currently unprecedented. If we're going to go down that road, we'll need to do some more careful analysis and ensure that the IESG and tools team are onboard.
2- because of this, we think that doing an external signature for the I-Ds in the same way that we do them for the other formats (except for whitespace normalization) is still probably a good idea, even if we eventually do internal signatures. Note: if we do both, the internal signature has to be added before the external signature is performed.
3- For similar reasons, and because we think it might be easier to do algorithm agility with traceability later, we recommend that external signatures also be performed for PDFs of RFCs. This is of less importance than for I-Ds, because the PDFs will almost always be produced by the RPC.
4- draft-iab-rfc-use-of-pdf, section 3.3, paragraph 1 says "but also to lock down the visual presentation as well". We're not sure if the current mechanism is going to do exactly that. Can we either strike this clause or explore it with more text?
5- Russ currently has an experiment going about how to do command-line signing of PDFs. We really need the output of that experiment before we as a community lock down the final decisions here.
On 2/23/16, 12:01 PM, "Joe Hildebrand (jhildebr)" <jhildebr at cisco.com> wrote:
>I think the question is whether they're signed inside the PDF doc, or after the doc is created in an external file like the ASCII files are.
>If I recall correctly, we either decided we wanted all of the output formats signed the same way, or we decided that the XML was what needed to be signed, since the output formats might get re-rendered one day.
>On 2/23/16, 11:45 AM, "rfc-interest on behalf of Russ Housley" <rfc-interest-bounces at rfc-editor.org on behalf of housley at vigilsec.com> wrote:
>> Recommendation: At this time, the authors see no need for Internet-
>> Drafts to be signed with a PDF digital signature.
>>The IETF Secretariat currently signs all I-Ds. See RFC 5485.
>>It seems to me that the decision to sign I-Ds should be left to the IESG and IETF Secretariat. I suggest that this be removed from the document.
>>rfc-interest mailing list
>>rfc-interest at rfc-editor.org
More information about the rfc-interest