> I think Keith has mixed up authentication with authorization. It is > true that I will only trust certain people in certain ways. But > whether those certain people are who they are, and whether a message > from is in fact from them, is something we can determine with PKIs. No it's not, because the CAs aren't trustworthy for all purposes. The example I used to give was that I'd never trust the US government's certificate of Phil Zimmerman's key, because the US government had plenty of reasons to misrepresent Phil Zimmerman. Similarly I wouldn't trust VeriSign's certificate to verify the signature on anything that had to do with DNS governance.