On Mon, Sep 22, 2008 at 12:14:53PM -0400, Keith Medcalf wrote:
>
> > > If I cannot authenticate the data myself, then it is simply
> > untrusted and untrustworthy -- exactly the same as it is now.
>
> > so I guess PGP web of trust is right out, then?
>
[elided]
>
> If there is a piece of data X signed with a cryptographically generated
> signature, and *I* verify that indeed the signature is valid, then the
> signature is valid -- that is, I can say with 100% absolute certainty that
> specific bit of keying material was used to generate a signature on something
> and that I have another bit of keying material which validates that
> signature. I am assured with very high certainty that THE DATA WAS SIGNED BY
> THE POSSESSOR OF THE SECRET KEYING MATERIAL.
>
> Nothing more can be determined from the signature.
>
let me understand this ... your use of the pronoun "I" in these contexts
is in reference to your corporal being i.e. meatspace and not a software
application running on some computer.
--bill
