On 17.09.2019 21:58, Stefan Claas via Gnupg-users wrote: > Binarus wrote: > >> Actually, I currently don't know anybody who I could ask to sign my >> keys, and furthermore, the problem is bigger the other way around. Can I >> trust the key which I found on the key server for the intended >> recipient's email address? Can I at least be sure that the key server >> has sent a confirmation email to that email address and has received the >> answer? Or has it failed to do so due to a malformed email address, but >> finds that address nevertheless because it performs a full-text search >> against the key IDs? > > If you would use your real name in your UID you could let Governikus > certify your key. Governikus is a German CA run on behalf by the BSI. > > For that you will need a (certified) ID-card reader and AusweisApp2. > > https://pgp.governikus.de/pgp/
Thank you very much for that hint. That might be a solution for German citizens, and probably the citizens of a few other European countries. However, I see several problems: - People just refuse spending money or precious desk space on chip card readers. The best proof is the nonsense the German banks are currently doing to implement PSD2. I do not know anybody who has bought a chip card reader. Instead, everybody installs a TAN generator app (one for each bank) on the very same smart phone where the actual banking apps are running, which undoubtedly decreases security. - While I have no problem with one-time investments (chip card reader), my red line are regular payments. From a first quick look at the website you mentioned, I got the impression that the certification is currently free of charge. However, at a first glance, I couldn't find out how long a certification is valid, and experience tells me that they will begin to charge a substantial amount of money every year or so to refresh the certifications as soon as more than an infinitesimal number of people use them. - After the incidents at the web (SSL) CAs (Symantec, DigiNotar and so on), I do not trust any centralized certification any more, even if those incidents happened some years ago. By the way, when clicking "Öffentlicher Schlüssel für die Beglaubigung" in the menu at the page bottom of https://pgp.governikus.de/pgp/, you currently just get an error page ("Es konnte leider nichts gefunden werden"). This for sure is the best way to generate trust ... Probably it's exactly what you should expect from a company which acts on behalf of German government. - The most important aspect is that I just can't force an addressee of a private message to get that certification. The addressee might live in another country where such certification is not available, or he might refuse to buy a card reader or to get the certification for other reasons. I don't have any figures (hopefully somebody else has), but I suppose that no more than 5% of PGP users have a chip card reader. In contrast, the email verification system for keys is by far less secure than the Governikus certification, but it is already available, works in every country and provides at least some level of security which is by far better than nothing. It just needs to be supported by making implementation easier, which primarily means eliminating the ambiguities when deciding what is an email address in the key IDs, which in turn means making dedicated addr entries mandatory and forbidding to treat anything outside these entries as an email address; all of this could be achieved with some small changes of the key ID convention / specification, which additionally would make parsing the key ID by key servers much more easy, less error-prone and reproducible. > Regarding the other questions, it would be IMHO really nice if we > would have internationally more CAs for GnuPG users, thus one must > not rely on the classical WoT signatures. As long as these CAs don't charge money, I totally agree with you (although I am mistrustful towards CAs as I stated above). Finally, I've got a question (no criticism, really just a question because I have absolutely no experience with AusweisApp and the like): You have stated that my real name must be in the key ID if I would like to have the key certified by Governikus. Does the key ID need to have other personal data in it? After all, as an example, there for sure are at least 1000 people in Germany whose name is "Peter Meier" (which is the reason why I personally will always use the email address (instead of the name) as the criterion when searching for a public key). If there is other personal data in the ID (like the address), what happens when people relocate? Regards, and thank you very much, Binarus _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users