subject:"Slightly OT \- i need the proper wording for a signed document"

Re: Slightly OT - i need the proper wording for a signed document

2018-11-08 Thread Stefan Claas

On Sun, 4 Nov 2018 21:51:00 +0100, Stefan Claas wrote:
> On Sat, 3 Nov 2018 17:48:41 +0100, Stefan Claas wrote:

> 
> 
> First i signed the document with my qualified certificate and then
> gave it a qualified time stamp. Finally i detached signed the .pdf
> with my current key and after this i time stamped the detached sig
> with the opentimestamp.org service.
> 
> Please note the attestation on opentimestamp.org is currently pending.
> 
> Maybe this example could be useful for other people too.
> 
> Critics and comments are welcome!

And a declaration of ownership.



Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpOI3J18EPG_.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-04 Thread Stefan Claas

On Sat, 3 Nov 2018 17:48:41 +0100, Stefan Claas wrote:

> I think this may be also a good thing if it would be accepted
> by the PGP community, say if someone lost his/her GnuPG
> revocation certificate and passphrase for his/her secret key
> that one could sign a document too containing the key data
> etc., like i proposed with my intial posting.

And i just did that, as little example, of how a document could
look like. The files can be downloaded from my keybase account.

First i signed the document with my qualified certificate and then gave
it a qualified time stamp. Finally i detached signed the .pdf with my
current key and after this i time stamped the detached sig with the
opentimestamp.org service.

Please note the attestation on opentimestamp.org is currently pending.

Maybe this example could be useful for other people too.

Critics and comments are welcome!

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

pgpWxswLxkjeO.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-03 Thread Stefan Claas


Am 03.11.18 um 17:30 schrieb Juergen BRUCKNER:

Hello Stefan, Hello all,

of course it is possible, that several people sign (and/or timestamp) a
document.
Just a example out of my business:
There is a contract to be signd by mor than 2 persons or parties. So i
make a document of it - for example a pdf file (which is recommended) -
and send it to the next person who has to sign it, this person signs and
send it to another person for signing ... and so on.
As long the document is not edited all signatures stay intact and valid.

This is necessary, as otherwise there never could be signed a contract
between 2 parties.


Hi Jürgen,

thanks for confirming and your explanation.

I must admit that this is all new to me.

I think this may be also a good thing if it would be accepted
by the PGP community, say if someone lost his/her GnuPG
revocation certificate and passphrase for his/her secret key
that one could sign a document too containing the key data
etc., like i proposed with my intial posting.

Regards
Stefan



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-03 Thread Juergen BRUCKNER

Hello Stefan, Hello all,

of course it is possible, that several people sign (and/or timestamp) a
document.
Just a example out of my business:
There is a contract to be signd by mor than 2 persons or parties. So i
make a document of it - for example a pdf file (which is recommended) -
and send it to the next person who has to sign it, this person signs and
send it to another person for signing ... and so on.
As long the document is not edited all signatures stay intact and valid.

This is necessary, as otherwise there never could be signed a contract
between 2 parties.

regards
Juergen

Am 03.11.18 um 17:21 schrieb Stefan Claas:
> On Sat, 3 Nov 2018 10:43:49 +0100, Stefan Claas wrote:
>> On Fri, 2 Nov 2018 15:42:40 +0100, Stefan Claas wrote:
> 
>>> I strongly assume that it is also possible that someone
>>> else can sign my .pdf too with a qualified signature and
>>> this will also not invalidate my qualified signature, unless
>>> of course someone would *edit* my document.  
>>
>> Just did a test with an older .pdf, which was signed with my
>> non-qualified D-Trust certificate and time stamped with
>> freetsa. Now i signed it again with my qualified D-Trust certificate
>> and time stamped again.
>>
>> Works perfect! :-)
> 
> Small update: A Usenet friend just signed my .pdf too, with his
> qualified D-Trust certificate and it works like expected. :-)
> 
> Regards
> Stefan
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk

smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-03 Thread Stefan Claas

On Sat, 3 Nov 2018 10:43:49 +0100, Stefan Claas wrote:
> On Fri, 2 Nov 2018 15:42:40 +0100, Stefan Claas wrote:

> > I strongly assume that it is also possible that someone
> > else can sign my .pdf too with a qualified signature and
> > this will also not invalidate my qualified signature, unless
> > of course someone would *edit* my document.  
> 
> Just did a test with an older .pdf, which was signed with my
> non-qualified D-Trust certificate and time stamped with
> freetsa. Now i signed it again with my qualified D-Trust certificate
> and time stamped again.
> 
> Works perfect! :-)

Small update: A Usenet friend just signed my .pdf too, with his
qualified D-Trust certificate and it works like expected. :-)

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgp4TLF9VtqkL.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-03 Thread Dirk Gottschalk via Gnupg-users

Hello Wiktor.

Am Freitag, den 02.11.2018, 17:17 +0100 schrieb Wiktor Kwapisiewicz:
> On 02.11.2018 15:35, Dirk Gottschalk wrote:
> > I prefer GPG. And no, GPG does not lack timestamping, a timestamp
> > is
> > included in every signature.

> Signature creation date is not the same as timestamping. As for why
> you may consider the problem of validating signatures made by revoked
> keys. Without timestamping this kind of signature is inherently
> insecure (as the compromised key could be used by the attacker to
> created a backdated signature).

Yeah, I see what you mean. Right, that was out oif my sight.

> For example Authenticode uses timestamping [0] so that old signatures
> can still be considered valid even when the key expires or is revoked
> later.

> Adding something comparable to OpenPGP was discussed [1] on OpenPGP
> ML recently and previously [2].

Thanks for the information.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-03 Thread Dirk Gottschalk via Gnupg-users

Hello Juegen.

Am Freitag, den 02.11.2018, 18:27 +0100 schrieb Juergen BRUCKNER:
> Hello Dirk,
> Am 02.11.18 um 15:20 schrieb Dirk Gottschalk via Gnupg-users:
> > You mean, you "tampered" with the file and the signature is still
> > valid? Are you sure? Then Adome does sometging really bad, IMHO.
> > 
> > Such a signature should ensure that the file is unmodified
> > completely.
> > otherwise somebody can modify it in a way that could be used as a
> > backdoor to the signature, at least in theory.
> That is correct, that a signature is valid if there is added a
> timestamp
> AFTER sign the document. Very simplified it uses the same method for
> timestamping as for signing, and it is a kind of 2nd signature on the
> same document. the document is NOT altered or manipulated.

Okay, you're right. When I sign AND timestamp a Document with
LibreOffice, then I'am asked 2 times for my Card-Pin. Seems like the
document is signed first an then the Timestamp. I never gave attention
to this, but your explaination seems to clear up with this phenomenom.

Regards.
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-03 Thread Stefan Claas

On Fri, 2 Nov 2018 15:42:40 +0100, Stefan Claas wrote:
> Am 02.11.18 um 15:20 schrieb Dirk Gottschalk:
> > Hello Stefan.
> >
> > Am Freitag, den 02.11.2018, 12:53 +0100 schrieb Stefan Claas:  
> >> Hi Wiktor,
> >>
> >> thanks a lot! Now this is awesome... i just timestamped my already
> >> signed .pdf with Adobe Reader DC and this does not invalidate my
> >> qualified signature, when saving the document again! :-) I must
> >> admit i did  not know this.  
> > You mean, you "tampered" with the file and the signature is still
> > valid? Are you sure? Then Adome does sometging really bad, IMHO.
> >
> > Such a signature should ensure that the file is unmodified
> > completely. otherwise somebody can modify it in a way that could be
> > used as a backdoor to the signature, at least in theory.  
> Hi Dirk,
> 
> i did not tampered with the file, i simply used the function
> in Adobe Reader DC to let it *add* a time stamp to my
> document and then saved it again.
> 
> I strongly assume that it is also possible that someone
> else can sign my .pdf too with a qualified signature and
> this will also not invalidate my qualified signature, unless
> of course someone would *edit* my document.

Just did a test with an older .pdf, which was signed with my
non-qualified D-Trust certificate and time stamped with
freetsa. Now i signed it again with my qualified D-Trust certificate
and time stamped again.

Works perfect! :-)

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpC5EYpjeX6_.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-02 Thread Juergen BRUCKNER

Hello Dirk,

Am 02.11.18 um 15:20 schrieb Dirk Gottschalk via Gnupg-users:
> You mean, you "tampered" with the file and the signature is still
> valid? Are you sure? Then Adome does sometging really bad, IMHO.
> 
> Such a signature should ensure that the file is unmodified completely.
> otherwise somebody can modify it in a way that could be used as a
> backdoor to the signature, at least in theory.

That is correct, that a signature is valid if there is added a timestamp
AFTER sign the document. Very simplified it uses the same method for
timestamping as for signing, and it is a kind of 2nd signature on the
same document. the document is NOT altered or manipulated.

regards
Juergen

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-02 Thread Wiktor Kwapisiewicz via Gnupg-users

On 02.11.2018 15:35, Dirk Gottschalk wrote:
> I prefer GPG. And no, GPG does not lack timestamping, a timestamp is
> included in every signature.

Signature creation date is not the same as timestamping. As for why you
may consider the problem of validating signatures made by revoked keys.
Without timestamping this kind of signature is inherently insecure (as
the compromised key could be used by the attacker to created a backdated
signature).

For example Authenticode uses timestamping [0] so that old signatures
can still be considered valid even when the key expires or is revoked later.

Adding something comparable to OpenPGP was discussed [1] on OpenPGP ML
recently and previously [2].

Kind regards,
Wiktor

[0]:
https://docs.microsoft.com/en-US/windows/desktop/SecCrypto/time-stamping-authenticode-signatures

[1]: https://www.ietf.org/mail-archive/web/openpgp/current/msg09092.html

[2]: https://www.ietf.org/mail-archive/web/openpgp/current/msg07136.html

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-02 Thread Stefan Claas


Am 02.11.18 um 15:20 schrieb Dirk Gottschalk:

Hello Stefan.

Am Freitag, den 02.11.2018, 12:53 +0100 schrieb Stefan Claas:

Hi Wiktor,

thanks a lot! Now this is awesome... i just timestamped my already
signed .pdf with Adobe Reader DC and this does not invalidate my
qualified signature, when saving the document again! :-) I must admit
i did  not know this.

You mean, you "tampered" with the file and the signature is still
valid? Are you sure? Then Adome does sometging really bad, IMHO.

Such a signature should ensure that the file is unmodified completely.
otherwise somebody can modify it in a way that could be used as a
backdoor to the signature, at least in theory.

Hi Dirk,

i did not tampered with the file, i simply used the function
in Adobe Reader DC to let it *add* a time stamp to my
document and then saved it again.

I strongly assume that it is also possible that someone
else can sign my .pdf too with a qualified signature and
this will also not invalidate my qualified signature, unless
of course someone would *edit* my document.

This would then mean in reality, that for example
a "boss", team-leader or whoever prepares a contract
signs it and then lets other parties sign this document
too and all involved parties have then a multiple signed
and valid document.

You can check two added (one from freetsa and another
commercial one which is in the EU list) timestamps i
added to my greetings.pdf on keybase.

Regards
Stefan







smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-02 Thread Dirk Gottschalk via Gnupg-users

Hello Wiktor.

Am Donnerstag, den 01.11.2018, 20:14 +0100 schrieb Wiktor Kwapisiewicz:
> On 01.11.2018 11:19, stefan.cl...@posteo.de wrote:

> Do you mean X.509 is technically good or just more widely supported
> in software than OpenPGP? For me there are only few cases where X.509
> infrastructure has something that OpenPGP lacks (e.g. timestamping).

I prefer GPG. And no, GPG does not lack timestamping, a timestamp is
included in every signature.

X.509 is more widely spread. I think this is the only reason that it is
preferred by some users. I would like to see GPG to be more widely
used. For me, x.509 is not more trustworthy than GPG, I trust this
system and the signed certificate less in many cases.

The signature regulations in the EU are not the best. In the US, I
read, ebven PGP is approved in some states. They use it even vor notary
approvals. We had a thread describing this a few months ago.

The only thing is, that GPG can not do inline signing of PDFs. This
would be a nice feature, but, AFAIK the standard for PDF doesn't leave
us this option.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-02 Thread Dirk Gottschalk via Gnupg-users

Hello Stefan.

Am Freitag, den 02.11.2018, 12:53 +0100 schrieb Stefan Claas:
> 
> Hi Wiktor,
> 
> thanks a lot! Now this is awesome... i just timestamped my already
> signed .pdf with Adobe Reader DC and this does not invalidate my
> qualified signature, when saving the document again! :-) I must admit
> i did  not know this.

You mean, you "tampered" with the file and the signature is still
valid? Are you sure? Then Adome does sometging really bad, IMHO.

Such a signature should ensure that the file is unmodified completely.
otherwise somebody can modify it in a way that could be used as a
backdoor to the signature, at least in theory.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-02 Thread Dirk Gottschalk via Gnupg-users

Hi guys.

Am Freitag, den 02.11.2018, 12:53 +0100 schrieb Stefan Claas:
> On Fri, 2 Nov 2018 12:20:43 +0100, Wiktor Kwapisiewicz wrote:
> > On 02.11.2018 10:53, Stefan Claas wrote:
> > > Simply one can use a time stamping service, based on blockchain
> > > technology. I can then time stamp the .pdf. and put also a
> > > statement in the .pdf that the file is timestamped and don't must
> > > worry in the future if one MITM would try (and why?) to alter my
> > > documents.  
> > 
> > PDFs can be also timestamped when signing with standard RFC 3161
> > [0]
> > timestamping service.
> > 
> > Here's one example:
> > 
> > https://support.globalsign.com/customer/en/portal/articles/2361790-add-timestamp-server---adobe-acrobat
> > 
> > But there are numerous free RFC 3161 timestamping services.
> > 
> > Of course that's not the same as blockchain, but it's already
> > supported by numerous tools (like Adobe Acrobat).
> > [0]: https://tools.ietf.org/html/rfc3161
> 
> Hi Wiktor,
> 
> thanks a lot! Now this is awesome... i just timestamped my already
> signed .pdf with Adobe Reader DC and this does not invalidate my
> qualified signature, when saving the document again! :-) I must admit
> i did  not know this.

freetsa offers a free timestamping service based on blockchain
technology, AFAIK. I use it myself to stamp PDFs. The free service
offers 10 timestamps per day what should be enough for normal usage.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-02 Thread Stefan Claas

On Fri, 2 Nov 2018 12:20:43 +0100, Wiktor Kwapisiewicz wrote:
> On 02.11.2018 10:53, Stefan Claas wrote:
> > Simply one can use a time stamping service, based on blockchain
> > technology. I can then time stamp the .pdf. and put also a
> > statement in the .pdf that the file is timestamped and don't must
> > worry in the future if one MITM would try (and why?) to alter my
> > documents.  
> 
> PDFs can be also timestamped when signing with standard RFC 3161 [0]
> timestamping service.
> 
> Here's one example:
> 
> https://support.globalsign.com/customer/en/portal/articles/2361790-add-timestamp-server---adobe-acrobat
> 
> But there are numerous free RFC 3161 timestamping services.
> 
> Of course that's not the same as blockchain, but it's already
> supported by numerous tools (like Adobe Acrobat).

> [0]: https://tools.ietf.org/html/rfc3161

Hi Wiktor,

thanks a lot! Now this is awesome... i just timestamped my already
signed .pdf with Adobe Reader DC and this does not invalidate my
qualified signature, when saving the document again! :-) I must admit
i did  not know this.

Regards
stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-02 Thread Wiktor Kwapisiewicz via Gnupg-users

On 02.11.2018 10:53, Stefan Claas wrote:
> Simply one can use a time stamping service, based on blockchain
> technology. I can then time stamp the .pdf. and put also a
> statement in the .pdf that the file is timestamped and don't must
> worry in the future if one MITM would try (and why?) to alter my
> documents.

PDFs can be also timestamped when signing with standard RFC 3161 [0]
timestamping service.

Here's one example:

https://support.globalsign.com/customer/en/portal/articles/2361790-add-timestamp-server---adobe-acrobat

But there are numerous free RFC 3161 timestamping services.

Of course that's not the same as blockchain, but it's already supported
by numerous tools (like Adobe Acrobat).

Kind regards,
Wiktor

[0]: https://tools.ietf.org/html/rfc3161

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-02 Thread Stefan Claas

On Thu, 1 Nov 2018 23:50:48 +0100, Stefan Claas wrote:

Hi veedal,

> > A simple, but slightly tedious workaround, would be to  GnuPG Armor
> > Sign the .pdf
> > 
> > The elDAS signature will still work, but the Armored Signed message
> > is much harder to alter, and such alteration is detectable as
> > malicious rather than a 'mistake.  
> 
> Thank you very much for this valuable information, much appreciated!
> 
> It is now a bit late, but i will try this out tomorrow.

O.k. i played a bit with it, but as you said "slightly tedious
workaround"... I will use another method, which does not allow an attack
imho. 

I did this in the past with detached signatures, when i posted files,
and it should be used more widely, imho!

Simply one can use a time stamping service, based on blockchain
technology. I can then time stamp the .pdf. and put also a
statement in the .pdf that the file is timestamped and don't must
worry in the future if one MITM would try (and why?) to alter my
documents.

https://opentimestamps.org

Regards
Stefan

--
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

pgpl5ld9bhOha.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread Stefan Claas

Hi veedal,

On Thu, 01 Nov 2018 15:20:33 -0400, vedaal via Gnupg-users wrote:
> Am Donnerstag, den 01.11.2018, 17:42 +0100 schrieb Stefan Claas:
> > On Thu, 01 Nov 2018 16:09:56 +0100, Dirk Gottschalk wrote:  
> 
> 
> 
> > That is the reason why i like to sign the .pdf, containing my key
> > data, with a qualified eIDAS conform signature. The detached GnuPG
> > sig should be an additional info, that matches the key data in the
> > document.   
> 
> =
> 
> This will work well in that if the signature verifies, then the
> information in the .pdf  can be considered reliable.
> 
> It is, however, very easy for a MITM attack to 'break' the signature
> by very subtly altering the pdf.
> 
> 
> Try this:
> 
> [1] Take your finished pdf and select all the text and copy it into a
> new Libre Office document.
> 
> [2]  At the end of your text, just add a period.
> 
> [3] Use Libre Office's font coloring to change the color of the added
> period to white.
> 
> [4] Export this new document as a pdf with the same file name as your
> original pdf, and the same metadata.
> 
> [5] The pdf looks exactly the same, but the signature will no longer
> verify.
> 
> 
> I don't trust a detached, signed pdf
> (Again, I do, if it verifies, but am not sure if it doesn't verify).
> 
> A simple, but slightly tedious workaround, would be to  GnuPG Armor
> Sign the .pdf
> 
> The elDAS signature will still work, but the Armored Signed message
> is much harder to alter, and such alteration is detectable as
> malicious rather than a 'mistake.

Thank you very much for this valuable information, much appreciated!

It is now a bit late, but i will try this out tomorrow.

> Also,
> If you are planning to post your public keyblock in this pdf, please
> be aware that pdf treats a line return as empty whitespace, so when
> trying to import the key, GnuPG does not recognize the empty
> whitespace, and reads the version line as continuous with the
> keyblock, and it won't import.

The idea was to only publish the key data from an output like
gpg --check-sigs, which should give a user enough data.

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpt9SBKQdNCS.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread vedaal via Gnupg-users

Am Donnerstag, den 01.11.2018, 17:42 +0100 schrieb Stefan Claas:
> On Thu, 01 Nov 2018 16:09:56 +0100, Dirk Gottschalk wrote:

> That is the reason why i like to sign the .pdf, containing my key
> data, with a qualified eIDAS conform signature. The detached GnuPG
> sig should be an additional info, that matches the key data in the
> document. 

=

This will work well in that if the signature verifies, then the information in 
the .pdf  can be considered reliable.

It is, however, very easy for a MITM attack to 'break' the signature by very 
subtly altering the pdf.

Try this:

[1] Take your finished pdf and select all the text and copy it into a new Libre 
Office document.

[2]  At the end of your text, just add a period.

[3] Use Libre Office's font coloring to change the color of the added period to 
white.

[4] Export this new document as a pdf with the same file name as your original 
pdf, and the same metadata.

[5] The pdf looks exactly the same, but the signature will no longer verify.

I don't trust a detached, signed pdf
(Again, I do, if it verifies, but am not sure if it doesn't verify).

A simple, but slightly tedious workaround, would be to  GnuPG Armor Sign the 
.pdf

The elDAS signature will still work, but the Armored Signed message is much 
harder to alter, and such alteration is detectable as malicious rather than a 
'mistake.

Also,
If you are planning to post your public keyblock in this pdf, please be aware 
that pdf treats a line return as empty whitespace, so when trying to import the 
key,
GnuPG does not recognize the empty whitespace, and reads the version line as 
continuous with the keyblock, and it won't import.

vedaal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread Stefan Claas

On Thu, 1 Nov 2018 20:14:19 +0100, Wiktor Kwapisiewicz wrote:
> On 01.11.2018 11:19, stefan.cl...@posteo.de wrote:
> > And this is the problem i have since 1994/95... For me signatures
> > made with PGP / GnuPG have no weight, for several reasons, except
> > those made from Governikus and maybe CT Magazine signed keys.  
> 
> I, for one, like the OpenPGP's approach of "choose your own trust
> model". Someone will trust Governikus, someone will trust random
> internet people, someone will marginally trust them or a selected set
> of people they think are trustworthy. (By the way too bad that
> Governikus doesn't add Policy URLs to their signatures [0], it would
> be easier to read about their procedures for people that don't know
> them).

Well, i like GnuPG too because you can use and run it on an
off-line computer for example. But, like i said the signatures, in all
the years i have used GnuPG, have no weight for me except for
cryptographically securing documents content or files from tampering,
from people which i personally don't know, when it comes to the
classical WoT.

I think it is also very sad, that after all the years, afaik only
Governikus offers such a service. I am not aware of any other CA in
in the world which work the same.

> Of course, this comes at the expense of user friendliness but there
> are already easier trust alternatives in GnuPG (e.g. TOFU).

Yes, in CLI mode, when using not a MUA, i use TOFU too and think it
is a very nice addition.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread Wiktor Kwapisiewicz via Gnupg-users

On 01.11.2018 11:19, stefan.cl...@posteo.de wrote:
> And this is the problem i have since 1994/95... For me signatures
> made with PGP / GnuPG have no weight, for several reasons, except
> those made from Governikus and maybe CT Magazine signed keys.

I, for one, like the OpenPGP's approach of "choose your own trust
model". Someone will trust Governikus, someone will trust random
internet people, someone will marginally trust them or a selected set of
people they think are trustworthy. (By the way too bad that Governikus
doesn't add Policy URLs to their signatures [0], it would be easier to
read about their procedures for people that don't know them).

Of course, this comes at the expense of user friendliness but there are
already easier trust alternatives in GnuPG (e.g. TOFU).

On 01.11.2018 16:09, Dirk Gottschalk via Gnupg-users wrote:> This isn't
the Problem at alöl. X.509 is a really good standard. I use
> it mysqld really often for signing PDFs or some other things. 

Do you mean X.509 is technically good or just more widely supported in
software than OpenPGP? For me there are only few cases where X.509
infrastructure has something that OpenPGP lacks (e.g. timestamping).

Kind regards,
Wiktor

[0]:
https://keyserver.ubuntu.com/pks/lookup?op=vindex=0xAFCDE102C7FAAD6E

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread Dirk-Willem van Gulik

On 1 Nov 2018, at 18:32, Dirk Gottschalk via Gnupg-users 
 wrote:

> 
> Oh, you have also this issue? IO read about it in a Facebook group.
> Libreoffice is complaining about a bad signature with Zertificates from
> D-Trust even after importing the root. When you have the same problem,
> they seem to be doing something that's not compliant to the standard

May just be stumbling over a specific extension. We had to do

https://github.com/dirkx/openssl-AdmissionSyntax

a few years ago for a few edgecases at D-Trust.

Dw
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread Stefan Claas

On Thu, 01 Nov 2018 19:23:04 +0100, Dirk Gottschalk via Gnupg-users
wrote:

Hi Dirk,

> Am Donnerstag, den 01.11.2018, 18:49 +0100 schrieb Stefan Claas:
> > On Thu, 1 Nov 2018 17:42:41 +0100, Stefan Claas wrote:  
> 
> > I am also *very much* interested what infos users in the U.S.,
> > Canada,
> > U.K. and Ireland, for example, see (is the certificate Info
> > displayed in
> > English?) when verifying my document with Adobe Reader DC!  
> 
> It depends on their locale. The object descriptors would be shown in
> the set language for the locale. The values are shown as they are set
> in the certificate.

Thanks for the info!

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpw0moeRCI1q.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread Dirk Gottschalk via Gnupg-users

Hi Stefan.

Am Donnerstag, den 01.11.2018, 18:49 +0100 schrieb Stefan Claas:
> On Thu, 1 Nov 2018 17:42:41 +0100, Stefan Claas wrote:

> I am also *very much* interested what infos users in the U.S.,
> Canada,
> U.K. and Ireland, for example, see (is the certificate Info displayed
> in
> English?) when verifying my document with Adobe Reader DC!

It depends on their locale. The object descriptors would be shown in
the set language for the locale. The values are shown as they are set
in the certificate.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread Stefan Claas

On Thu, 01 Nov 2018 18:32:58 +0100, Dirk Gottschalk wrote:
> Am Donnerstag, den 01.11.2018, 17:42 +0100 schrieb Stefan Claas:

> > I am not able to verify a qualified eIDAS conform X.509 sig, which
> > i can create now, with LibreOffice, nor with other tools, except
> > Adobe Reader DC or with the mentioned web site link. Have you or
> > someone else actually tried to verify my greetings.pdf on my keybase
> > page?  
> 
> > If so i am really interested in the results from various tools!  
> 
> Oh, you have also this issue? IO read about it in a Facebook group.
> Libreoffice is complaining about a bad signature with Zertificates
> from D-Trust even after importing the root. When you have the same
> problem, they seem to be doing something that's not compliant to the
> standard. Another Argument against using this cert, IMHO. All other
> certificates work well in Libreoffice in my case. I don't have a
> D-Trust signed file to check the problem. But I am interested in
> doing so, if I could get such file.
> 
> PDFSign is another tool that could be tried.

Hi Dirk, i am no expert (yet) with this whole new stuff, but i am
pretty sure that D-Trust certs are 100 percent compliant, or 
otherwise Adobe Reader DC or the mentioned web site in my
previous links would not work. A Usenet friend of mine was
able to verify the signature under Linux with openssl and a
Hex Editor, for example...

Here again the link to my document:

https://keybase.pub/stefan_claas/docs/greetings.pdf

and here the link for people who don't use Adobe DC Reader:

https://ec.europa.eu/cefdigital/DSS/webapp-demo

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpLQoRucpgCM.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread Stefan Claas

On Thu, 1 Nov 2018 17:42:41 +0100, Stefan Claas wrote:

> > > Here is a little example, of a .pdf i have signed with my
> > > qualified signature:
> > > 
> > > https://keybase.pub/stefan_claas/docs/greetings.pdf  
> > 
> > > Linux users can verify my qualified signature here:  
> > 
> > > https://ec.europa.eu/cefdigital/DSS/webapp-demo  
> > 
> > > macOS oder Windows users can use the free Adobe Reader DC
> > > to do he same.  
> > 
> > Libreoffice can verify the signature also and some other tools.
> 
> I am not able to verify a qualified eIDAS conform X.509 sig, which
> i can create now, with LibreOffice, nor with other tools, except Adobe
> Reader DC or with the mentioned web site link. Have you or someone
> else actually tried to verify my greetings.pdf on my keybase page?
> 
> If so i am really interested in the results from various tools!

I am also *very much* interested what infos users in the U.S., Canada,
U.K. and Ireland, for example, see (is the certificate Info displayed in
English?) when verifying my document with Adobe Reader DC!

An image link from a screenshot would be very much appreciated!

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgp8XSbL_sXjI.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread Stefan Claas

On Thu, 01 Nov 2018 16:09:56 +0100, Dirk Gottschalk wrote:

Hi Dirk,

> Am Donnerstag, den 01.11.2018, 11:19 +0100 schrieb
> stefan.cl...@posteo.de:  
> > Hi Dirk,

> > I personally like that we have such EU regulation. And i understand
> > that it costs money to build and maintain such infrastructure.
> 
> The Problem is the implication of trust in governmental organizations
> per se in this case. But, far from this, there are other signature
> providers who are trusted per default. AFAIK, Governikus is not listed
> in the standard CA packs, yet.  

How could Governikus be listed, they are a PGP CA and not X.509, run on
behalf by Germany's BSI ? 

> > And this is the problem i have since 1994/95... For me signatures
> > made with PGP / GnuPG have no weight, for several reasons, except
> > those made from Governikus and maybe CT Magazine signed keys.
> 
> Okay, that's yout thing. BUT, you may habe verified some of the
> signers keys at your own, this would be the same as checking against
> Governikus ,for example.  

No, i don't think it is the same, or do you personally verify a X.509
Root CA? I can only trust macOS or Windows with it's build in key store
and the fingerprints on web sites from the CA's. Regarding Governikus
in can check for the PGP fingerprint on one of their pages and must rely
on proper operation of my BSI certified card reader, AusweisApp2 and of
course of my nPA.

> > Here is a little example, of a .pdf i have signed with my qualified 
> > signature:
> > 
> > https://keybase.pub/stefan_claas/docs/greetings.pdf
>   
> > Linux users can verify my qualified signature here:
>   
> > https://ec.europa.eu/cefdigital/DSS/webapp-demo
>   
> > macOS oder Windows users can use the free Adobe Reader DC
> > to do he same.
> 
> Libreoffice can verify the signature also and some other tools.  

I am not able to verify a qualified eIDAS conform X.509 sig, which
i can create now, with LibreOffice, nor with other tools, except Adobe
Reader DC or with the mentioned web site link. Have you or someone
else actually tried to verify my greetings.pdf on my keybase page?

If so i am really interested in the results from various tools!

> > At list of TSP's (Trust Service Provider) can be seen here:
> > https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html   
> >  
>  
> This is the real problem I have with the EU regulations. There are
> regulations out there which are much better and have not such
> expensive certification costs to become "qualified".  

The sign-me service is currently free of charge and i expect once
commercially available the costs for signing (frequently) a document
there would be much lower than obtaining a qualified eIDAS conform
certificate on a signature card, plus software and card reader costs.

> [...]
>   
> > Thanks, much appreciated! I really like to see some more examples
> > from native English speakers living in the U.S.
> 
> Godd idea. I found some Policies regarding PGP, but nothing like you
> want to do. But I only did a quick search.  

Same for me... and that is the reason why i started the discussion, to
let people think about it.

> > I would like to omit the creation procedure or how the signing
> > procedure works, because imho people from the PGP ecosystem
> > should accept in the future qualified X.509 signatures.
> 
> Not the whole procedure. But you should explain that this ist a
> trustworthy signature provider sind Governikus is not yet listed as a
> standard root CA.  

That is the reason why i like to sign the .pdf, containing my key data,
with a qualified eIDAS conform signature. The detached GnuPG sig should
be an additional info, that matches the key data in the document. 

> To state it clear. x.509 is a good standard and a good procedure. I
> only think the "qualified" overrated in some situations. The
> "qualified" is only really relevant in juristic context in Germany or
> in EU. And even then there are some exclamations where other rules
> override this. I had a lawsuit one year ago that showed this clearly.  

I only came up with this, hopefully good, idea because a qualified and
eIDAS conform signature will be, i strongly assume, the highest level
in trustworthy  signatures available, in the future. At least in Europe.

Regards
Stefan

pgpj2IV3hspkI.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread Dirk Gottschalk via Gnupg-users

hi Stefan.

Am Donnerstag, den 01.11.2018, 11:19 +0100 schrieb
stefan.cl...@posteo.de:
> Hi Dirk,

> > To answer your question, even if the answer is not what you
> > expected:

> I  expected something like this... ;-)
> 
> > I don't think this would change anything on the reputation on your
> > key.
> > I even don't think there is any good reason for the EU-Regulation
> > at
> > all. There is much taste of "get the citizens money for everything"
> > in
> > it. ^^

> I personally like that we have such EU regulation. And i understand
> that it costs money to build and maintain such infrastructure.

The Problem is the implication of trust in governmental organizations
per se in this case. But, far from this, there are other signature
providers who are trusted per default. AFAIK, Governikus is not listed
in the standard CA packs, yet.


> > The trust level for a key depends on the trust to the signature
> > which
> > are made for your key. There is no valid reason to trust
> > "Governikus"
> > or "D-Trust (Bundesdruckerei)" by default at all, especially for
> > people
> > in foreign countries. Even I don't do this.

> And this is the problem i have since 1994/95... For me signatures
> made with PGP / GnuPG have no weight, for several reasons, except
> those made from Governikus and maybe CT Magazine signed keys.

Okay, that's yout thing. BUT, you may habe verified some of the signers
keys at your own, this would be the same as checking against Governikus
,for example.

> Why? Can i, for example, trust fan signatures made by users on
> someones key which bears several hundred sigs and the key holder
> does not sign the signers keys? No, of course not. Call me stupid
> but even if Governikus would be run by the BND or NSA etc. i would
> trust the validity of such signed keys more than a signed key from
> "somebody" signed by other people i do not know. Due to the procedure
> Governikus uses i can be personally rest assured that the key belongs
> to the person which the key data states. The only thing GnuPG offers
> me with  signatures, not made with Governikus signed keys, is that if
> someone has tampered with a document the "signature" would be then no
> longer valid.

This is also the case with the PGP standard.


> Here is a little example, of a .pdf i have signed with my qualified 
> signature:
> 
> https://keybase.pub/stefan_claas/docs/greetings.pdf

> Linux users can verify my qualified signature here:

> https://ec.europa.eu/cefdigital/DSS/webapp-demo

> macOS oder Windows users can use the free Adobe Reader DC
> to do he same.

Libreoffice can verify the signature also and some other tools.


> At list of TSP's (Trust Service Provider) can be seen here:
> https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html
 
This is the real problem I have with the EU regulations. There are
regulations out there which are much better and have not such expensive
certification costs to become "qualified".

I would consider a x.509 cert as valid and trustworthy which is signed
by one of the well known CAs whith "extended verification". But that's
another discussion.


> I think PGP users should be more open to current available and
> accepted standards when it comes to digital signatures.

This isn't the Problem at alöl. X.509 is a really good standard. I use
it mysqld really often for signing PDFs or some other things. 


> > Best thing is to verify a key personally.

> Yes, in case of PGP / GnuPG when using the classical WoT procedure.

That's what i meant.

[...]

> Thanks, much appreciated! I really like to see some more examples
> from native English speakers living in the U.S.

Godd idea. I found some Policies regarding PGP, but nothing like you
want to do. But I only did a quick search.


> I would like to omit the creation procedure or how the signing
> procedure works, because imho people from the PGP ecosystem
> should accept in the future qualified X.509 signatures.

Not the whole procedure. But you should explain that this ist a
trustworthy signature provider sind Governikus is not yet listed as a
standard root CA.

To state it clear. x.509 is a good standard and a good procedure. I
only think the "qualified" overrated in some situations. The
"qualified" is only really relevant in juristic context in Germany or
in EU. And even then there are some exclamations where other rules
override this. I had a lawsuit one year ago that showed this clearly.

The combination of OpenPGP-Card and x.509 is, that should be said,
really a goof thing. I'm running my a CA for my customers and me, for
internal purposes, which means for data exchange between different
software and so on, and the keys are derived from PGP keys on Card.
GPGSM is a really nice solutions for such CSRs.I t only lacks the
ability of creating CRLs, otherwise it could be used as a CA too.

Okay, now I drifted completely off of your topic. I'm Sorry.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG:

Re: Slightly OT - i need the proper wording for a signed document

2018-11-01 Thread stefan . claas


Hi Dirk,


To answer your question, even if the answer is not what you expected:


I  expected something like this... ;-)


I don't think this would change anything on the reputation on your key.
I even don't think there is any good reason for the EU-Regulation at
all. There is much taste of "get the citizens money for everything" in
it. ^^


I personally like that we have such EU regulation. And i understand
that it costs money to build and maintain such infrastructure.


The trust level for a key depends on the trust to the signature which
are made for your key. There is no valid reason to trust "Governikus"
or "D-Trust (Bundesdruckerei)" by default at all, especially for people
in foreign countries. Even I don't do this.


And this is the problem i have since 1994/95... For me signatures
made with PGP / GnuPG have no weight, for several reasons, except
those made from Governikus and maybe CT Magazine signed keys.

Why? Can i, for example, trust fan signatures made by users on
someones key which bears several hundred sigs and the key holder
does not sign the signers keys? No, of course not. Call me stupid
but even if Governikus would be run by the BND or NSA etc. i would trust
the validity of such signed keys more than a signed key from "somebody"
signed by other people i do not know. Due to the procedure Governikus
uses i can be personally rest assured that the key belongs to the person
which the key data states. The only thing GnuPG offers me with 
signatures,

not made with Governikus signed keys, is that if someone has tampered
with a document the "signature" would be then no longer valid.

Here is a little example, of a .pdf i have signed with my qualified 
signature:


https://keybase.pub/stefan_claas/docs/greetings.pdf

Linux users can verify my qualified signature here:

https://ec.europa.eu/cefdigital/DSS/webapp-demo

macOS oder Windows users can use the free Adobe Reader DC
to do he same.

At list of TSP's (Trust Service Provider) can be seen here:

https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html

I think PGP users should be more open to current available and accepted
standards when it comes to digital signatures.



Best thing is to verify a key personally.


Yes, in case of PGP / GnuPG when using the classical WoT procedure.


I would create a file which describes how your key was verified before
signing and the data FPR and UID of your gnupg key, sign this with your
x.509 and create a detached signature with gnupg. Needles to say that
you should use the key mentioned in the PDF.

The wording should not be difficult itself. Something like:

The OpenPGP key

key data

is signed by Governikus.


 ... signed by ...



Thanks, much appreciated! I really like to see some more examples from
native English speakers living in the U.S.

I would like to omit the creation procedure or how the signing
procedure works, because imho people from the PGP ecosystem
should accept in the future qualified X.509 signatures.

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-10-31 Thread Dirk Gottschalk via Gnupg-users

Hello Stefan.

Am Mittwoch, den 31.10.2018, 18:59 +0100 schrieb Stefan Claas:
> On Wed, 31 Oct 2018 18:53:33 +0100, Stefan Claas wrote:
> > Hi all,
> > 
> > i hope this is not to much off-topic...
> > 
> > I recently signed up for the new Service of Germany's
> > Bundesdruckerei*, to obtain a *qualified* X.509 Certificate,
> > which is complaint with the EU's eIDAS regulation.
> 
> Oh... sorry i mean  *compliant* of course!

Compliant to... ^^

To answer your question, even if the answer is not what you expected:

I don't think this would change anything on the reputation on your key.
I even don't think there is any good reason for the EU-Regulation at
all. There is much taste of "get the citizens money for everything" in
it. ^^

The trust level for a key depends on the trust to the signature which
are made for your key. There is no valid reason to trust "Governikus"
or "D-Trust (Bundesdruckerei)" by default at all, especially for people
in foreign countries. Even I don't do this.

Best thing is to verify a key personally.

I would create a file which describes how your key was verified before
signing and the data FPR and UID of your gnupg key, sign this with your
x.509 and create a detached signature with gnupg. Needles to say that
you should use the key mentioned in the PDF.

The wording should not be difficult itself. Something like:

The OpenPGP key

key data

is signed by Governikus.

 ... signed by ...

And so on.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Slightly OT - i need the proper wording for a signed document

2018-10-31 Thread Stefan Claas

Hi all,

i hope this is not to much off-topic...

I recently signed up for the new Service of Germany's
Bundesdruckerei*, to obtain a *qualified* X.509 Certificate,
which is complaint with the EU's eIDAS regulation.

Because PGP signatures are not qualified, nor the pub keys,
i thought to create a little .pdf document containing my
name and my pub key data and give this a qualified signature
and publish it on keybase. The signed document will then
also be detached signed with my current GnuPG key.

The idea behind this is that people who find my pub key on
keybase can be assured that i am the owner of the key.

My pub key bears also a sig3 from Governikus, but i can't
expect that people living outside of Germany understand what
Governikus is and how the Governikus signing procedure works.

So far so good.., since i am no native English speaker i would
like to know what the proper wording would be to put such
statement in the .pdf document and what name should i use
for this document.

Any help would be greatly appreciated!

* https://cloud.sign-me.de/signature/start

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpwXmIiSxOeU.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-10-31 Thread Stefan Claas

On Wed, 31 Oct 2018 18:53:33 +0100, Stefan Claas wrote:
> Hi all,
> 
> i hope this is not to much off-topic...
> 
> I recently signed up for the new Service of Germany's
> Bundesdruckerei*, to obtain a *qualified* X.509 Certificate,
> which is complaint with the EU's eIDAS regulation.

Oh... sorry i mean  *compliant* of course!

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpQfDGLcS4qe.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

Slightly OT - i need the proper wording for a signed document

Re: Slightly OT - i need the proper wording for a signed document

32 matches

Site Navigation

Mail list logo

Footer information