Internet-Draft Signatures

The IETF digitally signs all submitted Internet-Drafts to mark these specific drafts as being authentic, and being received by the IETF through the normal Internet-Draft Submission Process.  These digital signatures are available for public verification use as described below.

The IETF expresses its heartfelt thanks to Comodo for their generous, ongoing donation of the certificates used by the IETF in its generation of draft signatures.

Tools Needed for Verification of Internet-Draft Signatures

Three things are needed in order to configure your system to verify Internet-Draft signatures.

  1. OpenSSL version 1.0.2 (22 Jan 2015) or later.
  2. The IETF open-source canonicalization program, canon.c.
  3. The new IETF/Comodo Verification Certificate Bundle.

OpenSSL provides the engine used for both the generation and verification of digital signatures.  Installation instructions for OpenSSL are included in the source distribution.  On Unix-based systems, a simple three-step process (config; make; make install) generally results in a successful installation of OpenSSL into /usr/local/ssl on the target system.  Most Unix-based systems also offer prebuilt deployments of OpenSSL.  Consult your distribution manager for details and installation instructions.

The IETF Canonicalization program, canon.c, converts plain text Internet-Drafts into their canonical format.  This tool is only needed when verifying a plain text Internet-Draft.  Depending on the manner used to download the Internet-Draft and the operating system that was used, the file may contain various line-endings (CR only, LF only, CRLF).  As a result, RFC5485 stipulates that signatures for plain text Internet-Drafts will be generated against the Canonical Form  (see sections 2.1 and 2.2 of RFC5485 for details.)  The IETF's Canonicalization program will convert plain text Internet-Drafts to canonical form, which form can then be used for verification.  On Unix-based systems, a single command ([g]cc -o canon canon.c) will compile canon.c and generate a local binary, "canon", which can be used in the verification process.

Finally, as of March, 2015, the new IETF/Comodo Verification Certificate Bundle contains the necessary trust anchor certificates needed by OpenSSL in order to verify digital signatures generated by the IETF.

Locating Digital Signatures

The digital signature is stored in a file with the same name as the Internet-Draft followed by a .p7s file extension. For example:

Internet-Draft: draft-ietf-example-widgets-03.txt
Signature File: draft-ietf-example-widgets-03.txt.p7s

Signature File:

Internet-Draft: draft-housley-internet-draft-sig-file-00.txt
Signature File: draft-housley-internet-draft-sig-file-00.txt.p7s

Once you have the necessary tools installed, and have a draft and associated signature, you are prepared to verify the signature.

Verifiying an Internet-Draft Signature

Step 1 - For plain-text Internet-Drafts only, convert the Internet-Draft to canonical form:

canon <draft-filename>.txt <draft-canonical-filename>.txt

This step is only necessary for plain text Internet-Drafts. Use the canonical file when performing verification.

Step 2 - Use OpenSSL to verify the draft signature:

openssl cms -verify -CAfile verifybundle.pem -content <id-file-name> -inform DER \
      -in <sig-file-name> -out /dev/null

OpenSSL will generally respond with "OK" if verification succeeds.  Any other output from OpenSSL will include diagnostic error messages explaining why a failure occurred.

Additional Tools and Resources


Here are some additional tools and resources that will aid users working with Internet-Draft signatures:


  • The manual page for the IETF canon.c program is available in nroff (canon.1) and text (canon.1.txt) forms
  • An Internet-Draft signature check bash script, idsigcheck, which automates the verification process, along with its manual page in nroff (idsigcheck.1) and text (idsigcheck.1.txt) forms.


Please Note!


NOTE WELL: The IETF, AMS (the IETF Secretariat), and other related bodies can not provide technical support to end users with respect to the use of OpenSSL, canon.c, the validation of digital signatures, or any other type of desktop support.  The presence of draft signatures and public certificates on this website does not imply any type of support service availability. Users needing assistance in configuring or using OpenSSL, or solving computer problems of any kind should contact their own IT personnel, the many reference materials for OpenSSL and/or other encryption tools available elsewhere, or a professional paid computer support service.