A method in which information pertaining to a device (104) generating
digital
signatures (122) is reliably identified includes manufacturing (102)
devices in a secure environment (114) and for each device (104) before
it is released from the secure environment: creating a public-private key pair
(116, 118); storing the private key (116) within the device (104)
for utilization in generating a digital signature (122) for a message (122);
and linking the public key (118) to a Security Profile (120) of the
device (104). The devices (104) then are released from the secure
environment (114) and a digital signature (122) is received from
somewhere (108) in the world (106). The message (122) is authenticated
using a suspect public key (124) and the suspect public key (124)
is compared with the linked public keys (118). A Security Profile (120)
of the genuine device (104) to which belongs the private key (116)
used in generating the digital signature (122) is identified when the public
key (124) matches a linked public key (118). A risk that the message
(122) is fraudulently signed is determined.