> If someone would issue a fake sig3 from Governikus to someone > else how could you, for example, verify that the sig3 is from > Governikus? By validating Governikus's certificate. You seem to be asking the same question (and getting the same answer) over and over again. Perhaps try a different phrasing? Or is it that the answer isn't clear?