Jim Jagielski wrote on Mon, Aug 27, 2012 at 10:38:15 -0400: > After this, please drop general@ > > On Aug 27, 2012, at 10:16 AM, Rob Weir <[email protected]> wrote: > > >> > >> A signature does 2 things: > >> > >> 1. Ensures that no bits have been changed > >> 2. That the bits come from a known (and trusted) entity. > >> > > > > Almost. It doesn't guarantee trust. > > Sure it does. If something is signed by Bill or Ross, etc I > trust that it came from them. Anything else is tangential to > what a signature provides.
A signature ties a file to a public key, and then "trusted?" is an attribute of the public key. Signatures do not provide trust by themselves (i.e., without some means to establish trust in the public keys).
