Re: Slightly OT - i need the proper wording for a signed document

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Mittwoch, den 31.10.2018, 18:59 +0100 schrieb Stefan Claas:
> On Wed, 31 Oct 2018 18:53:33 +0100, Stefan Claas wrote:
> > Hi all,
> > 
> > i hope this is not to much off-topic...
> > 
> > I recently signed up for the new Service of Germany's
> > Bundesdruckerei*, to obtain a *qualified* X.509 Certificate,
> > which is complaint with the EU's eIDAS regulation.
> 
> Oh... sorry i mean  *compliant* of course!

Compliant to... ^^

To answer your question, even if the answer is not what you expected:

I don't think this would change anything on the reputation on your key.
I even don't think there is any good reason for the EU-Regulation at
all. There is much taste of "get the citizens money for everything" in
it. ^^

The trust level for a key depends on the trust to the signature which
are made for your key. There is no valid reason to trust "Governikus"
or "D-Trust (Bundesdruckerei)" by default at all, especially for people
in foreign countries. Even I don't do this.

Best thing is to verify a key personally.

I would create a file which describes how your key was verified before
signing and the data FPR and UID of your gnupg key, sign this with your
x.509 and create a detached signature with gnupg. Needles to say that
you should use the key mentioned in the PDF.

The wording should not be difficult itself. Something like:

The OpenPGP key

key data

is signed by Governikus.


 ... signed by ...


And so on.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Slightly OT - i need the proper wording for a signed document

[Stefan Claas]

Hi all,

i hope this is not to much off-topic...

I recently signed up for the new Service of Germany's
Bundesdruckerei*, to obtain a *qualified* X.509 Certificate,
which is complaint with the EU's eIDAS regulation.

Because PGP signatures are not qualified, nor the pub keys,
i thought to create a little .pdf document containing my
name and my pub key data and give this a qualified signature
and publish it on keybase. The signed document will then
also be detached signed with my current GnuPG key.

The idea behind this is that people who find my pub key on
keybase can be assured that i am the owner of the key.

My pub key bears also a sig3 from Governikus, but i can't
expect that people living outside of Germany understand what
Governikus is and how the Governikus signing procedure works.

So far so good.., since i am no native English speaker i would
like to know what the proper wording would be to put such
statement in the .pdf document and what name should i use
for this document.

Any help would be greatly appreciated!

* https://cloud.sign-me.de/signature/start

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpwXmIiSxOeU.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

[Stefan Claas]

On Wed, 31 Oct 2018 18:53:33 +0100, Stefan Claas wrote:
> Hi all,
> 
> i hope this is not to much off-topic...
> 
> I recently signed up for the new Service of Germany's
> Bundesdruckerei*, to obtain a *qualified* X.509 Certificate,
> which is complaint with the EU's eIDAS regulation.

Oh... sorry i mean  *compliant* of course!

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpQfDGLcS4qe.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: File name seen by gpg

[Werner Koch]

On Wed, 31 Oct 2018 01:33, alvaro@gmail.com said:
> It seems I was not looking at the right keywords when I searched, because I 
> couldn't find that option before.

Note that the filename stored with the encrypted or signed data is not
even convered by the signature.  Thus it is possible to anyone to change
the filename in a signed file and trick the recipient into creating a
file of that name.  This is why gpg does not use that name for the
output file.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpUAA1bXX4SG.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg troubles

[Roland Siemons (P)]

Thanks Friedhelm,

That is a lot to think about.
I'll study ..

Best regards,

Roland


On 31/10/2018 01:33, gnupg-users-requ...@gnupg.org wrote:
> Date: Mon, 29 Oct 2018 04:18:31 +0100
> From: Friedhelm Waitzmann 
> To: gnupg-users@gnupg.org
> Subject: Re: gpg troubles
> Message-ID: <20181029031830.ga24...@kugelfisch.zuhause.test>
>
> Roland Siemons (P) at Fri., 2018-10-12:
>
>> 3/ Assisted remotely by some of you, I was able to sort out a very
>> strange problem with decryption. The solution was found by manipulating
>> my key from inside the gpg shell using the command line. I am not very
>> experienced with the command line. A major difficulty for those for whom
>> this is not daily bread and butter is that mistakes are easily made.
>> Hence the great value of GUIs.
>> 4/ I observed some unclarities in the GnuPG manual
>> (www.gnupg.org/gph/en/manual.html), here below under A.
> This is the GnuPG privacy handbook rather than the GnuPG manual.
> I suggest that you read the GnuPG manual
> () also, as
> it is the definitve instruction how to use GnuPG.
>
>> And perhaps also
>> some bugs in gpg, here below under B (please consider). Here is my
>> experience:
>> A/ I tried to revoke some subkeys, following the said manual (heading
>> "Revoking key components"). gpg pretended to do the job. Everything
>> looked fine. But it did'nt! After several hours of analysis (up to
>> checking if GnuPG was installed consistently on my system), I found the
>> issue: After the revkey procedure it is necessary to command "quit".
> A better way of committing the changes is typing in ?save?.
>
> Please see the GnuPG manual
> ().
>
> For the ?--edit-key? main command (given at the command line) it
> lists the sub commands (to be typed into the edit key command
> shell):
>
> save
>
> Save all changes to the keyrings and quit.
>
> quit
>
> Quit the program without updating the keyrings. 
>
>> Instead of quitting, gpg then asks "do you want to save yr changes" (or
>> something like that).
> This is to remind you that you are about to discard your changes.
>
>> And only then the subkeys were revoked. The said
>> manual does mention the command "quit" only once, and not even in a
>> general place explaining the operations of gpg, and in fact without any
>> explanation as to the impact of that command.
> The GnuPG manual (not the privacy handbook) mentions both of
> ?save? and ?quit? and explains the difference.
>
>> Of course I am happy to
>> have found out, but let's hope that I remember when after perhaps 2
>> years time I have to use gpg shell again
> Just remember to read the GnuPG manual also.
>
>> B/ It is not at all clear to me how to start the gpg shell.
> This isn't a general (?the?) GnuPG shell for all GnuPG commands,
> it is a shell for the limited set of ?--edit-key? sub commands.
> That is, the ?--edit-key? specified at the GnuPG invocation
> command line lets GnuPG run an interactive interpreter for the
> ?--edit-key? subcommands that have to be typed in.
>
>> For example:
>> 1/ if (under the CMD terminal) I command "gpg -K", the lists of private
>> keys is returned,
> Generating this list doesn't need to ask the user to type any sub
> commands, so there is no ?--list-secret-keys? shell.
>
>> but I am also returned to CMD, that is, kicked out of
>> the gpg shell.
> If GnuPG has written this list into its standard output channel,
> the job is done, thus GnuPG terminates, nobody is ?kicked out?.
>
>> 2/ if (CMD) I command "gpg --edit-key X" (where X is key identifier), I
>> do indeed enter the gpg shell, the screen showing "gpg>".
> You enter the shell that recognizes the limited set of the
> ?--edit-key? sub commands.
>
>> That all may be allright, HOWEVER:
>> 3/ if (CMD) I command "gpg", the return is: "gpg: WARNING: no command
>> supplied.? Trying to guess what you mean ...  gpg: Go ahead and
>> type your message . 
> Please read the GnuPG manual
> ():
>
>?gpg may be run with no commands. In this case it will perform
>a reasonable action depending on the type of file it is given
>as input (an encrypted message is decrypted, a signature is
>verified, a file containing keys is listed, etc.).?
>
> So GnuPG expects that you type in an encrypted message, a
> detached signature, a clear?signed message, a public key block, etc.
>
>> Then if I type a gpg command, everything stalls.
> Here you cannot type a GnuPG command, because GnuPG wants input,
> i.e. data.  As you haven't specified any input file on the
> command line, GnuPG wants this data through its standard input
> channel, that is, typed in from the keyboard.
>
>> No results whatsoever.
> Unless the end of data is signalled (by typing the end?of?file
> character, with UNIX usually control d, with MS