On Mon, Sep 22, 2008 at 12:14:53PM -0400, Keith Medcalf wrote:
If I cannot authenticate the data myself, then it is simply untrusted and untrustworthy -- exactly the same as it is now.
so I guess PGP web of trust is right out, then?
[elided]
If there is a piece of data X signed with a cryptographically generated signature, and *I* verify that indeed the signature is valid, then the signature is valid -- that is, I can say with 100% absolute certainty that specific bit of keying material was used to generate a signature on something and that I have another bit of keying material which validates that signature. I am assured with very high certainty that THE DATA WAS SIGNED BY THE POSSESSOR OF THE SECRET KEYING MATERIAL.
Nothing more can be determined from the signature.
let me understand this ... your use of the pronoun "I" in these contexts is in reference to your corporal being i.e. meatspace and not a software application running on some computer. --bill