I can't tell what problem we're trying to solve here. The original
question (other than that whoever runs the IETF web site should
buy a new cert) seemed to have something to do with mailing list
archives. I think it would be swell to know that the archives I
retrieved were the real ones, but what does real mean here?
A - The messages sent by authenticated senders
B - The contents of the archive as of some past time when the
archives were created
C - The archives as they are on an IETF server now
D - The archives as presented by some presumably reliable piece
of software (pipermail)
E - Something else
While option A might be nice, it's not going to happen without an
implausible level of S/MIME or PGP signing.
Option B seems useful to me, since it defends against the threat of
accidental or deliberate bitrot. (An example might be restoring an
archived copy that had the addresses xxx'ed out.)
Options C and D seem less useful.
Harking back to a previous argument about signing RFCs, the way I
would do option B would be to publish hashes of the archive files in
enough places to be sure they're persistent, e.g., print the latest
set of hashes on the back of everyone's name card at IETF meetings.
TLS for session privacy is nice, but I find negligible value in a
little lock icon in my browser that means only that one of the several
dozen cert issuers configured into my browser, most of whom I've never
heard of, and many of whom aren't even the organization in the cert
name, signed something.
R's,
John
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf