From #12

What sorts of software need to be able to produce "authentic[ated]" content? The mention of #12 (comment) implies that the software incorporates the private key for that certificate, which requires that end-users can't extract the private key to sign their own forgeries with it. This requires the software to run in the cloud or possibly in a DRM-controlled sandbox on end-user machines. Is that acceptable, or does open-source software need to be able to participate in this part of the ecosystem?