How does one know that one can trust the software that one is using on one's own machine for encryption, mailing, etc, or worse yet, how can one know whether to trust the software doing anonymous or other remailing on other machines? Web-of-trust schemes are only statistically reliable due to these concerns. These are rhetorical questions; the point is, I just realized that I didn't explain myself last month when I talked about an algorithm for verifying *intentions*. A number of people emailed me to complain that authentication should be a matter of establishing a person's *real* identity -- a valid issue, but I was off on a tangent and neglected to explain my actual point: Imagine you have a single piece of software which runs a dcnet over the internet by being instantiated on many nodes. Imagine that you're concerned that the NSA or someone will spoof a whole bunch of nodes, pretend to be the Real Software (which ordinarily helps guarantee anonymity, defeat traffic analysis, etc), but actually works to defeat the Real Software and the people who use it. One would like to somehow guarantee that when one talks to remote software as part of a web of trust scheme, that the software really is the One and Only True Software, and not some deceitful counterfeit. It is in *this* connection that one might wish to authenticate the unique identity of multiply instantiated *software* by a hypothetical process which ascertains the *intentions* of that software instantiation. I previously phrased this as if it were a person that the hypothetical algorithm was authenticating, leading to understandable objections. Apologies; I had gotten into a digressive train of thought about using it with people before I posted, and it's taken me this long to realize that I never communicated clearly. I still haven't described the algorithm ("this margin is too narrow" :-), but I hope it's more clear that such an algorithm is potentially more realizable for software than it would be for people. Doug