Location-Independent Data/Software Integrity Protocol (RFC1805)
Original Publication Date: 1995-Jun-01
Included in the Prior Art Database: 2019-Feb-12
Internet Society Requests For Comment (RFCs)
This memo describes a protocol for adding integrity assurance to files that are distributed across the Internet. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind.
Network Working Group A. Rubin Request for Comments: 1805 Bellcore Category: Informational June 1995
Location-Independent Data/Software Integrity Protocol
Status of this Memo
This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
This memo describes a protocol for adding integrity assurance to files that are distributed across the Internet. This protocol is intended for the distribution of software, data, documents, and any other file that is subject to malicious modification. The protocol described here is intended to provide assurances of integrity and time. A trusted third party is required.
One problem with any system for verifying the integrity of a file is that the verifying program itself may be attacked. Thus, although users may be reassured by their software that a file has not changed, in reality, the file, and the verifier might have both changed. Because of this danger, a protocol that does not rely on the distribution of some special software, but rather, is based entirely on widely used standards, is very useful. It allows users to build their own software, or obtain trusted copies of software to do integrity checking independently. Therefore, the protocol described in this memo is composed of ASCII messages that may be sent using e- mail or any other means. There is an existing implementation, Betsi , that is designed this way. Betsi has been in existence since August, 1994, and is operational on the Internet. It can be accessed by sending e-mail to email@example.com with subject ’help’, or via the world wide web at http://info.bellcore.com/BETSI/betsi.html.
Rubin Informational [Page 1]
RFC 1805 Location-Independent Data/Software Integrity Protocol June 1995
The purpose of the proposed protocol is for authors to be able to distribute their files to users on the internet with guarantees of time and integrity, by use of a trusted third party. The protocol is divided into several phases:
I. Author registration II. Author verification III. File Certification IV. File Distribution V. File Integrity Verification
Phases I, III, IV, and V are defined in the protocol. Phase II is intentionally not defined. Author verification can be different for different applications, and the particular method chosen for phase II is identified in phases III and V. It is the hope that further Internet Drafts will describe the various possibilities for phase II. This memo describes the method for author verification in the Betsi system, and makes several recommendations.
It is important that the integrity and time information be independent from the location of the file. Lowry  defines a syntax and protocols for location-independent objects. His system requires that end-users possess special software, and is still in the prototype stage. The protocol described in this memo has been implemented, and is alrea...