Skip to main content

Internet-Draft signatures

Signing submitted Internet-Drafts ensures their authenticity, and that they were received via the IETF submission process.

The IETF digitally signs all submitted Internet-Drafts to mark these specific drafts as being authentic, and being received by the IETF through the normal Internet-Draft Submission Process.  These digital signatures are available for public verification use as described below.

The IETF expresses its heartfelt thanks to Digicert for their generous donation of the certificates used by the IETF in its generation of Internet-Draft signatures.

Tools Needed for Verification of Internet-Draft Signatures

Three things are needed in order to configure your system to verify Internet-Draft signatures.

  1. OpenSSL versions 1.0.1 or later
  2. The IETF open-source canonicalization program, canon.c.
  3. The new Combined IETF Verification Certificate Bundle.

OpenSSL provides the engine used for both the generation and verification of digital signatures.  Installation instructions for OpenSSL are included in the source distribution.  On Unix-based systems, a simple three-step process (config; make; make install) generally results in a successful installation of OpenSSL into /usr/local/ssl on the target system.  Most Unix-based systems also offer prebuilt deployments of OpenSSL.  Consult your distribution manager for details and installation instructions.

The IETF Canonicalization program, canon.c, converts plain text Internet-Drafts into their canonical format.  This tool is only needed when verifying a plain text Internet-Draft. Depending on the manner used to download the Internet-Draft and the operating system that was used, the file may contain various line-endings (CR only, LF only, CRLF).  As a result, RFC5485 stipulates that signatures for plain text Internet-Drafts will be generated against the Canonical Form  (see sections 2.1 and 2.2 of RFC5485  for details.)  The IETF's Canonicalization program will convert plain text Internet-Drafts to canonical form, which form can then be used for verification.  On Unix-based systems, a single command ([g]cc -o canon canon.c) will compile canon.c and generate a local binary, "canon", which can be used in the verification process.

Finally, as of February, 2020, the new Combined IETF Verification Certificate Bundle contains the necessary trust anchor certificates needed by OpenSSL in order to verify both past and present digital signatures generated by the IETF.

Locating Digital Signatures

The digital signature is stored in a file with the same name as the Internet-Draft followed by a .p7s file extension. For example:

Internet-Draft: draft-ietf-example-widgets-03.txt
Signature File: draft-ietf-example-widgets-03.txt.p7s

Internet-Draft: draft-ietf-example-widgets-03.ps
Signature File: draft-ietf-example-widgets-03.ps.p7s

Internet-Draft: draft-housley-internet-draft-sig-file-00.txt
Signature File: draft-housley-internet-draft-sig-file-00.txt.p7s

Once you have the necessary tools installed, and have a draft and associated signature, you are prepared to verify the signature.

Verifiying an Internet-Draft Signature

Step 1: For plain-text Internet-Drafts only, convert the Internet-Draft to canonical form:

canon <draft-filename>.txt <draft-canonical-filename>.txt

This step is only necessary for plain text Internet-Drafts. Use the canonical file when performing verification.

Step 2 - Use OpenSSL to verify the draft signature:

openssl cms -verify -CAfile verifybundle.pem -binary -content <id-file-name> -inform DER -in <sig-file-name> -out /dev/null

OpenSSL will generally respond with "OK" or "Verification successful" if verification succeeds.  Any other output from OpenSSL will include diagnostic error messages explaining why a failure occurred.

Additional Tools and Resources 

Here are some additional tools and resources that will aid users working with Internet-Draft signatures: 

  • The manual page for the IETF canon.c program is available in nroff (canon.1) and text (canon.1.txt) forms
  • An Internet-Draft signature check bash script, idsigcheck, which automates the verification process, along with its manual page in nroff (idsigcheck.1) and text (idsigcheck.1.txt) forms.