nanog mailing list archives

RE: hat tip to .gov hostmasters

From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Mon, 22 Sep 2008 12:14:53 -0400

Just because YOU check the digital signature on an email

and forward that email to me (either with or without the

signature data), if I do not have the capability to verify

the signature myself, I sure as hell am not going to trust your

mere say-so that the signature is valid!

If I cannot authenticate the data myself, then it is simply

untrusted and untrustworthy -- exactly the same as it is now.

so I guess PGP web of trust is right out, then?

You are confusing "validating signature" with "validating the holder of the keying material and the authorization of
the holder to deploy it to create a non-repudiable signature", which are two entirely different and completely
unreleated things. (This is quite common by the way, so maybe you can be excused your confusion).

If there is a piece of data X signed with a cryptographically generated signature, and *I* verify that indeed the
signature is valid, then the signature is valid -- that is, I can say with 100% absolute certainty that specific bit of
keying material was used to generate a signature on something and that I have another bit of keying material which
validates that signature. I am assured with very high certainty that THE DATA WAS SIGNED BY THE POSSESSOR OF THE
SECRET KEYING MATERIAL.

Nothing more can be determined from the signature.

You now want to confuse the issue by associating the "keying material" with a "person" or "entity". That problem is
entirely outside the purview of the exercize and completely irrelevant. (I certainly do not "trust" that any
certificate issued by a so-called Certificate Authority (other than myself) was issued to the entity it is purported to
be issued to, nor that the key is properly kept secret, nor anything else.

The mathematical validity of the signature is beyond question. Associating that signature to anything other than a
mere statement that "this data was signed by the possessor of the secret key corresponding to the public key that I
have" is a personal judgement call.

Current thread:

RE: hat tip to .gov hostmasters, (continued)
- - - RE: hat tip to .gov hostmasters marcus.sachs (Sep 22)
    - Re: hat tip to .gov hostmasters Florian Weimer (Sep 22)
    - Re: hat tip to .gov hostmasters bmanning (Sep 22)
    - Re: hat tip to .gov hostmasters Edward Lewis (Sep 22)
    - Re: hat tip to .gov hostmasters bmanning (Sep 22)
    - Re: hat tip to .gov hostmasters Mark Andrews (Sep 22)
    - RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
    - Re: hat tip to .gov hostmasters Florian Weimer (Sep 22)
    - RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
    - Re: hat tip to .gov hostmasters Scott Francis (Sep 22)
    - RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
    - Re: hat tip to .gov hostmasters bmanning (Sep 22)
    - Re: hat tip to .gov hostmasters bmanning (Sep 22)
    - Re: hat tip to .gov hostmasters bmanning (Sep 22)
    - Re: hat tip to .gov hostmasters David Conrad (Sep 22)
    - Re: hat tip to .gov hostmasters David Conrad (Sep 22)
  - Re: hat tip to .gov hostmasters Simon Vallet (Sep 22)
    - Re: hat tip to .gov hostmasters Chris Owen (Sep 22)
    - Re: hat tip to .gov hostmasters Simon Vallet (Sep 22)
    - Re: hat tip to .gov hostmasters Jason Frisvold (Sep 22)
    - Re: hat tip to .gov hostmasters Michael Thomas (Sep 22)

(Thread continues...)