hat tip to .gov hostmasters

Keith Medcalf kmedcalf at dessus.com
Mon Sep 22 16:14:53 UTC 2008


> > Just because YOU check the digital signature on an email 
> and forward that email to me (either with or without the
> > signature data), if I do not have the capability to verify 
> the signature myself, I sure as hell am not going to trust your
> > mere say-so that the signature is valid!

> > If I cannot authenticate the data myself, then it is simply 
> untrusted and untrustworthy -- exactly the same as it is now.

> so I guess PGP web of trust is right out, then?

You are confusing "validating signature" with "validating the holder of the keying material and the authorization of the holder to deploy it to create a non-repudiable signature", which are two entirely different and completely unreleated things.  (This is quite common by the way, so maybe you can be excused your confusion).

If there is a piece of data X signed with a cryptographically generated signature, and *I* verify that indeed the signature is valid, then the signature is valid -- that is, I can say with 100% absolute certainty that specific bit of keying material was used to generate a signature on something and that I have another bit of keying material which validates that signature.  I am assured with very high certainty that THE DATA WAS SIGNED BY THE POSSESSOR OF THE SECRET KEYING MATERIAL.

Nothing more can be determined from the signature.

You now want to confuse the issue by associating the "keying material" with a "person" or "entity".  That problem is entirely outside the purview of the exercize and completely irrelevant.  (I certainly do not "trust" that any certificate issued by a so-called Certificate Authority (other than myself) was issued to the entity it is purported to be issued to, nor that the key is properly kept secret, nor anything else.

The mathematical validity of the signature is beyond question.  Associating that signature to anything other than a mere statement that "this data was signed by the possessor of the secret key corresponding to the public key that I have" is a personal judgement call.







More information about the NANOG mailing list