> > > No. You can trace back to the fact that the signed data was at the same > > ^ > > a hash of > > > place as the private key, at the same time. > > I've seen people *who operate CAs* lose sight of the fact that it's > > the hash that's signed, not the full data. > > OK, if you want to be pedantic. ;) > > However, let's remember that although a hash collision is *possible* to > generate, ... My point was not about hash collisions, but rather that the dongle that holds the key often has no idea at all about the meaning of what was signed. And if it's an intruder who caused the signing, there may be no record of the cleartext. If it was a certificate, you can't revoke it because you don't know its serial number or anything else[*] about it. Matt [*] Well, if NameConstraints were implemented you could put a bound on the Subject. That's not much comfort.