The IETF digitally signs all submitted Internet-Drafts to mark these specific drafts as being authentic, and being received by the IETF through the normal Internet-Draft Submission Process. These digital signatures are available for public verification use as described below.
The IETF expresses its heartfelt thanks to Digicert for their generous donation of the certificates used by the IETF in its generation of Internet-Draft signatures.
Tools Needed for Verification of Internet-Draft Signatures
Three things are needed in order to configure your system to verify Internet-Draft signatures.
- OpenSSL versions 1.0.1 or later
- The IETF open-source canonicalization program, canon.c.
- The new Combined IETF Verification Certificate Bundle.
OpenSSL provides the engine used for both the generation and verification of digital signatures. Installation instructions for OpenSSL are included in the source distribution. On Unix-based systems, a simple three-step process (config; make; make install) generally results in a successful installation of OpenSSL into /usr/local/ssl on the target system. Most Unix-based systems also offer prebuilt deployments of OpenSSL. Consult your distribution manager for details and installation instructions.
The IETF Canonicalization program, canon.c, converts plain text Internet-Drafts into their canonical format. This tool is only needed when verifying a plain text Internet-Draft. Depending on the manner used to download the Internet-Draft and the operating system that was used, the file may contain various line-endings (CR only, LF only, CRLF). As a result, RFC5485 stipulates that signatures for plain text Internet-Drafts will be generated against the Canonical Form (see sections 2.1 and 2.2 of RFC5485 for details.) The IETF's Canonicalization program will convert plain text Internet-Drafts to canonical form, which form can then be used for verification. On Unix-based systems, a single command ([g]cc -o canon canon.c) will compile canon.c and generate a local binary, "canon", which can be used in the verification process.
Finally, as of February, 2020, the new Combined IETF Verification Certificate Bundle contains the necessary trust anchor certificates needed by OpenSSL in order to verify both past and present digital signatures generated by the IETF.
Locating Digital Signatures
The digital signature is stored in a file with the same name as the Internet-Draft followed by a .p7s file extension. For example:
Signature File: draft-ietf-example-widgets-03.txt.p7s
Signature File: draft-ietf-example-widgets-03.ps.p7s
Signature File: draft-housley-internet-draft-sig-file-00.txt.p7s
Once you have the necessary tools installed, and have a draft and associated signature, you are prepared to verify the signature.
Verifiying an Internet-Draft Signature
Step 1: For plain-text Internet-Drafts only, convert the Internet-Draft to canonical form:
canon <draft-filename>.txt <draft-canonical-filename>.txt
This step is only necessary for plain text Internet-Drafts. Use the canonical file when performing verification.
Step 2 - Use OpenSSL to verify the draft signature:
openssl cms -verify -CAfile verifybundle.pem -binary -content <id-file-name> -inform DER -in <sig-file-name> -out /dev/null
OpenSSL will generally respond with "OK" or "Verification successful" if verification succeeds. Any other output from OpenSSL will include diagnostic error messages explaining why a failure occurred.
Additional Tools and Resources
Here are some additional tools and resources that will aid users working with Internet-Draft signatures: