|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Mon, 22 Sep 2008 12:14:53 -0400 In-Reply-To: <171423de0809220854o50fe29acyb3a62fcad7a8e76c@mail.gmail.com> From: "Keith Medcalf" <kmedcalf@dessus.com> To: "NANOG list" <nanog@nanog.org> Errors-To: nanog-bounces@nanog.org > > Just because YOU check the digital signature on an email > and forward that email to me (either with or without the > > signature data), if I do not have the capability to verify > the signature myself, I sure as hell am not going to trust your > > mere say-so that the signature is valid! > > If I cannot authenticate the data myself, then it is simply > untrusted and untrustworthy -- exactly the same as it is now. > so I guess PGP web of trust is right out, then? You are confusing "validating signature" with "validating the holder of the= keying material and the authorization of the holder to deploy it to create= a non-repudiable signature", which are two entirely different and complete= ly unreleated things. (This is quite common by the way, so maybe you can b= e excused your confusion). If there is a piece of data X signed with a cryptographically generated sig= nature, and *I* verify that indeed the signature is valid, then the signatu= re is valid -- that is, I can say with 100% absolute certainty that specifi= c bit of keying material was used to generate a signature on something and = that I have another bit of keying material which validates that signature. = I am assured with very high certainty that THE DATA WAS SIGNED BY THE POSS= ESSOR OF THE SECRET KEYING MATERIAL. Nothing more can be determined from the signature. You now want to confuse the issue by associating the "keying material" with= a "person" or "entity". That problem is entirely outside the purview of t= he exercize and completely irrelevant. (I certainly do not "trust" that an= y certificate issued by a so-called Certificate Authority (other than mysel= f) was issued to the entity it is purported to be issued to, nor that the k= ey is properly kept secret, nor anything else. The mathematical validity of the signature is beyond question. Associating= that signature to anything other than a mere statement that "this data was= signed by the possessor of the secret key corresponding to the public key = that I have" is a personal judgement call.
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |