What sorts of software need to be able to produce "authentic[ated]" content?

[lrosenthol]

From #12

What sorts of software need to be able to produce "authentic[ated]" content? The mention of #12 (comment) implies that the software incorporates the private key for that certificate, which requires that end-users can't extract the private key to sign their own forgeries with it. This requires the software to run in the cloud or possibly in a DRM-controlled sandbox on end-user machines. Is that acceptable, or does open-source software need to be able to participate in this part of the ecosystem?

[lrosenthol]

First and foremost - its not just software, but also hardware. As some one said, being able to establish provenance "glass to glass" would be best case scenario - but we've got a long way to go to get there.

Second - there is no question that open source solutions need to be able to participate in any ecosystem that is going to be viable for the world. But I would not expect an open source authoring tool to be issued a single certificate for itself that would be the same for all instances - that would not be "safe computing" (on many levels). I would, however, expect that a user might be issued their own "private key" when they install such software - just as they can create their own keys in their OSs. Or users can (and should be able to) "bring their own keys" from other places, such as the keys issued by their governments on their ID cards.

Finally, I would expect there to be solution at varying "security assurance levels" and uses can choose the one(s) that they are most comfortable with.