about how the MUA mutt signs mails

2017-05-31 Thread Matthias Apitz 

Hello,

When I send signed mails to me with the MUA mutt (just for test) the
received mail is verified fine in mutt, i.e. it says in mutt:

[-- Begin signature information --]
Good signature from: Matthias Apitz (GnuPG CCID) 
created: Wed May 31 21:40:19 2017
[-- End signature information --]

[-- The following data is signed --]

hello


[-- End of signed data --]

but when I save the signature part into a file 'signature.asc' and the
ASCII content of the mail as a file 'data' from the menu in mutt:

q:Exit  s:Save  |:Pipe  p:Print  ?:Help
  I 1   
[text/plain, 7bit, utf-8, 0.1K]
  I 2 signature.asc
[applica/pgp-signat, 7bit, 0.8K]

and run:

$ gpg2 --verify signature.asc data
gpg: Signature made Wed May 31 21:40:19 2017 CEST
gpg:using RSA key 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
gpg: BAD signature from "Matthias Apitz (GnuPG CCID) " 
[ultimate]

it says 'BAD signature'.

Why the file 'data' has BAD signature? The file 'data' after saving from
mutt from the above menu just contains:

$ cat data
hello

$ od -c data
000h   e   l   l   o  \n  \n
007

I digged into this trussing the mutt-gpg2 process chain and it turned out that
the netto data which verifies mutt is:

$ od -c data.asc
000C   o   n   t   e   n   t   -   T   y   p   e   :   t   e
020x   t   /   p   l   a   i   n   ;   c   h   a   r   s   e
040t   =   u   t   f   -   8  \r  \n   C   o   n   t   e   n   t
060-   D   i   s   p   o   s   i   t   i   o   n   :   i   n
100l   i   n   e  \r  \n  \r  \n   h   e   l   l   o  \r  \n  \r
120   \n
121

i.e. containes as well some mail header line about the content and charset and 
esp.
as well \r\n line terminators. If I modify the file to this it is fine:

$ gpg2 --verify signature.asc data.asc
gpg: Signature made Wed May 31 21:40:19 2017 CEST
gpg:using RSA key 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
gpg: Good signature from "Matthias Apitz (GnuPG CCID) " 
[ultimate]

Is this correct how mutt signs such mail bodies?

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP for official documents / eIDAS and ZertES

2017-05-31 Thread Daniel Pocock 


On 31/05/17 19:34, ankostis wrote:
> On 31 May 2017 at 15:14, Daniel Pocock  wrote:
>>
>> Are the CMS, PDF or XML standards flexible enough that a PGP signature
>> could be used within any of them and thereby satisfy the legislation?
> 
> IANAL, but I would agree with Reiner that the implementing acts are not
> technology-neutral.
> More detailed, from the three standards supported, only the last one,
> XML-sig, supports PGP: https://www.w3.org/TR/xmldsig-core/#sec-PGPData
> 

Are there any basic examples of using XML-sig with GnuPG for signing and
verifying?

Are there any specific attributes that need to be included in a key used
for eIDAS?  E.g. does the legislation expect the photo or even something
like home address or date of birth, or just the name and email address
is sufficient?


> 
> 
>>> There are quite heavy
>>> legal and organization layers on top of the technology that assure
>>> security levels, notification (mutual acceptance) and cooperation
>>> procedures.
> 
> Regarding organizational issues, there in nothing in eIDAS *in principal"
> that forbids a company to use XML-sig with PGP.
> But it would be interesting how the "national authorities" would react
> in practice,
> should they receive such a request from a company.
> If it would work, for certain, these 2 German companies would have a 
> head-start.
> 

There are a couple of scenarios:

- for submitting documents to national authorities, some types of
submission (e.g. a tax return without any refund due) are a one-way
process.  The person submitting the document can assert they submitted
it in compliance with the law and it is then a problem for the national
authority to make sure their IT systems are reading valid PGP
signatures.  We will see some of them start advertising vacancies for
consultants with PGP expertise at the point people start submitting
PGP-signed documents.

- for business-to-business or consumer-to-business transactions, if a
business is willing to accept orders signed with PGP, they are making
life a lot easier for their customers.  The money the customer doesn't
have to waste on something like SuissID is money the customer can spend
with the business in question.

Another aspect of this topic: if at least one valid solution exists
(e.g. using XML-sig), then consultants specializing in PGP could tell
their customers that they offer a competitive solution compliant with
eIDAS and ZertES.

Regards,

Daniel

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't send encrypted messages to random users

2017-05-31 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Tuesday 30 May 2017 at 8:42:04 PM, in
, Michael
Englehorn wrote:-


> Also, it would be strange to only publish your key's
> "name only" UID to the
> keyserver, because then at a keysigning event I
> wouldn't know where to
> send your public key back to, and I couldn't certify
> any of your e-mail
> addresses.


A user can use hashed instead of human-readable forms of their name
and/or their email address in a key's user-ids. The email address (or
name) cannot be determined from simple inspection of the UID. Just a
defence against casual snooping on the information in user-ids, not a
security measure but the "incident" that gave rise to this thread is
prevented. The downside is that using the cleartext email address (or
name) as your search string doesn't find the key from a keyserver and
the email client fails to match the key by email address, rendering
those UIDs largely useless.

It has been discussed here before, and dismissed by people cleverer
than me, that the hashed version could be searched for as well as the
readable version to locate a key from the local keyring or from
keyservers. A member of PGPNET produced some Python scripts as an
exercise in seeing what might go into this, when we last discussed the
idea over there about three years ago.

- --
Best regards

MFPA  

No matter where you go, there you are.
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWS9sw18UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5OYaAP9n45Ojx5tHSw3KcGFbNmoq63sXckEqjQgiWsbQ1EG4SwD9Gw2P2/826VT4
+W5na/kbL1Dz+EveaMHG+z54V8Cn4w6JAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWS9syl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8JYvB/9WQFZRychf3xx9Xh3S+QRWIV4Y
dZ7Ph7rG2VOlwPVUi0/zqIycnjFQNcFRSGojnHfZE07+hDHXq3/e+epxUbYrpys9
aGf/Bj5N0sPKU8/kLAFbUsclFbGyz6/mrjALlLgyEQXYAYJ8JdgkAbifUW7Xkc4O
Nx3HyUQE2hbzmWo4BU2xl7ummTjPthvrZnaDvRkjlX/eG1x2Y87d/2GjLqsSbM9Q
tooQLkf5yyY42QFyPRg9TZehv8bfYq0SMiVmft4LPf8HtuI1lCVUb8YnExqwcSs2
BnjSaAE+aafdEIPXU3g938PIdctZocemMuxImT2ql9TN1/tWGtuKA6yRPkEY
=ndHi
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Errors at ECC key generation in non-interactive mode

2017-05-31 Thread Ryru 
Hi Daniel,

On 31.05.2017 21:47, Daniel Kahn Gillmor wrote:
> do you see the same error messages when you use the more modern --quick
> command-line syntax?

I was not aware of this syntax style. Thank you.

  fpr=$(gpg --with-colons --quick-gen-key "Test user "
ed25519 | awk -F: '/^fpr:/{ print $10 }')

This immediately runs gpg and ask for a password and creates an EdDSA
signing key without any errors.

> what version of gpg are you running when you see those warnings?

I run GnuPG 2.1.15 on Ubuntu 17.04. It is also possible to create an ECC
keypair with gpg --expert --full-gen-key without any errors. I just
would prefer to have a paramter file for later/future use.

Thank you.
Pascal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Errors at ECC key generation in non-interactive mode

2017-05-31 Thread Daniel Kahn Gillmor 
Hi Ryru--

On Wed 2017-05-31 18:18:56 +0200, Ryru wrote:

> I get these errors while trying to create a new ECC key:
>
> $ gpg --batch --gen-key Desktop/params-ecc.txt
> gpg: key ABCDEFABCDEFABCD marked as ultimately trusted
> gpg: error reading rest of packet: Invalid argument
> gpg: error reading rest of packet: Invalid argument
> gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
> gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
> gpg: revocation certificate stored as
> '~/.gnupg/openpgp-revocs.d/ABCDEFABCDEFABCD.rev'
>
> My parameters are:
>
> $ cat params-ecc.txt
> Key-Type: EdDSA
> Key-Curve: Curve25519
> Key-Length: 256
> Subkey-Type: ECC
> Subkey-Curve: Curve25519
> Subkey-Length: 256
> Name-Real: 
> Name-Comment: 
> Name-Email: 
> Passphrase: 
> Preferences: S9 S13 S8 S12 S7 S11 S10 H10 H9 H8 Z3 Z2 Z1
> %commit

do you see the same error messages when you use the more modern --quick
command-line syntax?

fpr=$(gpg --with-colons --quick-gen-key "Test user " 
ed25519 | awk -F: '/^fpr:/{ print $10 }')
gpg --quick-add-key $fpr cv25519

what version of gpg are you running when you see those warnings?

 --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP for official documents / eIDAS and ZertES

2017-05-31 Thread ankostis 
On 31 May 2017 at 15:14, Daniel Pocock  wrote:
>
> Are the CMS, PDF or XML standards flexible enough that a PGP signature
> could be used within any of them and thereby satisfy the legislation?

IANAL, but I would agree with Reiner that the implementing acts are not
technology-neutral.
More detailed, from the three standards supported, only the last one,
XML-sig, supports PGP: https://www.w3.org/TR/xmldsig-core/#sec-PGPData



> > There are quite heavy
> > legal and organization layers on top of the technology that assure
> > security levels, notification (mutual acceptance) and cooperation
> > procedures.

Regarding organizational issues, there in nothing in eIDAS *in principal"
that forbids a company to use XML-sig with PGP.
But it would be interesting how the "national authorities" would react
in practice,
should they receive such a request from a company.
If it would work, for certain, these 2 German companies would have a head-start.



> Thanks for the feedback about that.  Are all users likely to depend on
> all of those things, or is it possible that a PGP signature would be
> sufficient in some use cases?

Check also the "closed systems" exception in the eIDAS regulation.
Search the legal-text for this term (e.g. Art 2.2) to get a rough
understanding of this.
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910&from=EN

Finally, I believe that a crucial point is whether the interpretation
of "assurance levels"
can also apply to PGP, and Art 16 hints that it does.
This may be the twisting-arm power for PGP to come on board eIDAS.


Thanks for bringing this subject up,
  Kostis

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP for official documents / eIDAS and ZertES

2017-05-31 Thread Rainer Hoerbe 

> Am 31.05.2017 um 15:14 schrieb Daniel Pocock :
> 
> Are the CMS, PDF or XML standards flexible enough that a PGP signature
> could be used within any of them and thereby satisfy the legislation?
> Or could any of those standards potentially be amended/extended to allow
> use of PGP signatures?

CMS and PGP signatures are similar in concept, but incompatible. GPG-signatures 
could be added to xmldsig quite easily, but implementing this securely in 
different libraries would be a major undertaking. In addition, the WoT model is 
not compatible with the PKI + Trust Status Lists of eIDAS, although one could 
bridge the models, somehow.

> Thanks for the feedback about that.  Are all users likely to depend on
> all of those things, or is it possible that a PGP signature would be
> sufficient in some use cases?
> 
> In Switzerland, a number of state organizations are now accepting
> digital signatures and the Swiss Post is promoting a ZertES/eIDAS
> compliant solution, SuisseID.  However, the price[1] is quite expensive
> and even people who know nothing about PKI look at it and think it is a
> rip-off (Deutsch: ein teurer Flop[2]) and start looking for
> alternatives.  Many organizations are afraid to fully depend on it,
> especially when dealing with consumers.
> 
> It would be good to see PGP-based solutions grabbing market share before
> things like SuisseID eventually gain traction.

PGP is sufficient - I would say even better and more secure - in use cases 
where a small community leverages a trust relationship from the physical world. 
An example are CERT-employees or Federation Operators who know each other 
directly or with usually one intermediary from conferences and meetings, and 
are technically versed enough to overcome the learning curve.

eIDAS has a very different scope, trying to make electronic identities of all 
EU citizens trustworthy between member states.  It is hard to judge if SuisseID 
is expensive or not. With support and integration a price range of 50€/year is 
what enterprises pay for an employee smartcard. But I guess that even 
„expensive" cards like nPA and SuisseID are somehow subsidized by the taxpayer. 
We will probably know only in hindsight if it was worth the investment from a 
macroeconomic point of view.

PGP might grab significant market shares inside specific domains, where its 
poor usability does not matter or is covered by scripts and shells. However, as 
a competitor to eIDAS it would need a massive investment and industry + 
government support.

> 
> Does eIDAS require people to obtain their smart card or certificate in
> the country where they reside?  Or will they potentially be able to shop
> around, e.g. a Swiss person would be able to go to a German or French
> post office and get a cheaper alternative?

Not cheap, because the vetting of persons against public registers requires 
administrative procedures. AFAIK only Estonia is offering such a service as of 
now, called the e-Residency program.

- Rainer
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Errors at ECC key generation in non-interactive mode

2017-05-31 Thread Ryru 
Hi List

I get these errors while trying to create a new ECC key:

$ gpg --batch --gen-key Desktop/params-ecc.txt
gpg: key ABCDEFABCDEFABCD marked as ultimately trusted
gpg: error reading rest of packet: Invalid argument
gpg: error reading rest of packet: Invalid argument
gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
gpg: revocation certificate stored as
'~/.gnupg/openpgp-revocs.d/ABCDEFABCDEFABCD.rev'

My parameters are:

$ cat params-ecc.txt
Key-Type: EdDSA
Key-Curve: Curve25519
Key-Length: 256
Subkey-Type: ECC
Subkey-Curve: Curve25519
Subkey-Length: 256
Name-Real: 
Name-Comment: 
Name-Email: 
Passphrase: 
Preferences: S9 S13 S8 S12 S7 S11 S10 H10 H9 H8 Z3 Z2 Z1
%commit

gnupg creates a key though, but I could not find any hints regarding the
errors. Do I use wrong parameters?

Thanks and regards
Pascal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certification-only key

2017-05-31 Thread Peter Lebbing 
On 31/05/17 14:52, Lionel Elie Mamane wrote:
> Right to be forgotten. The signatures I made a long time ago were made
> by a different person, although there is a continuity between the
> two.

Talking about not forgetting, you answered after seven years?! :-D

I don't think expiring a signing subkey will make anyone forget
anything. Keyservers are append-only, so the expired subkey stays there,
and many of your peers will also not scrub their keyrings and remove
expired subkeys. Those that do might still keep signing subkeys so they
can still now and in the future verify stuff you signed before it
expired. Expired encryption subkeys don't serve a purpose for your peers
anymore, I think, people who like cleaning up might remove those.

As far as I am aware, the only thing that happens when a signing subkey
expires, is that signatures which have an issuing time after the expiry
are flagged as BAD. All signatures made before the key expired will
still show up as valid signatures by you and your certificate.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certification-only key

2017-05-31 Thread Lionel Elie Mamane 
On Mon, Oct 04, 2010 at 10:45:02AM -0700, Doug Barton wrote:
> On 10/4/2010 8:22 AM, Lionel Elie Mamane wrote:

>> Also, when my signature subkey expires, it would (I guess) silently
>> start using the primary. Which makes me_very_  happy I chose to make
>> my primary certification-only, because signatures started to fail
>> instead, which gave me notice and allowed me to issue a new signature
>> subkey:)

> Why did you choose to make your signature subkey expire, and why
> would you not simply extend the expiration date of the existing key
> rather than create a new one?

Right to be forgotten. The signatures I made a long time ago were made
by a different person, although there is a continuity between the
two.

-- 
Lionel

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP for official documents / eIDAS and ZertES

2017-05-31 Thread Daniel Pocock 


On 31/05/17 13:54, Rainer Hoerbe wrote:
> Hi Daniel,
> 
> The eIDAS regulation is replacing the national e-signature laws to make
> signatures (besides other other things) interoperable across borders.
> While the law is fairly technology-neutral, the implementation acts have
> to reference specific technologies, which are CMS, PDF- and XML
> signature, but not PGP-signature.
>

Are the CMS, PDF or XML standards flexible enough that a PGP signature
could be used within any of them and thereby satisfy the legislation?
Or could any of those standards potentially be amended/extended to allow
use of PGP signatures?


> Beyond that, even if the EU would include PGP signatures, the technical
> interoperability would just be the beginning. There are quite heavy
> legal and organization layers on top of the technology that assure
> security levels, notification (mutual acceptance) and cooperation
> procedures. IMHU none of these exist in the PGP world.
> 

Thanks for the feedback about that.  Are all users likely to depend on
all of those things, or is it possible that a PGP signature would be
sufficient in some use cases?

In Switzerland, a number of state organizations are now accepting
digital signatures and the Swiss Post is promoting a ZertES/eIDAS
compliant solution, SuisseID.  However, the price[1] is quite expensive
and even people who know nothing about PKI look at it and think it is a
rip-off (Deutsch: ein teurer Flop[2]) and start looking for
alternatives.  Many organizations are afraid to fully depend on it,
especially when dealing with consumers.

It would be good to see PGP-based solutions grabbing market share before
things like SuisseID eventually gain traction.

Does eIDAS require people to obtain their smart card or certificate in
the country where they reside?  Or will they potentially be able to shop
around, e.g. a Swiss person would be able to go to a German or French
post office and get a cheaper alternative?

Regards,

Daniel



1. https://postsuisseid.ch/en/
2.
https://www.srf.ch/sendungen/kassensturz-espresso/themen/geld/suisseid-mehr-als-ein-teurer-flop

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Obtaining sig2 and sig3 signatures

2017-05-31 Thread Daniel Kahn Gillmor 
On Wed 2017-05-31 12:00:25 +0200, Stefan Claas wrote:
> Am 31.05.2017 um 03:43 schrieb Phil Pennock:
>> It's unfortunate really that the default is to make public attestations,
>> telling the world "trust me, this key belongs to this person" instead of
>> locally useful data and then, only once someone knows what they're
>> doing, offering them the option to act as a Notary Public
>> (German "Nurnotar" ?) if they so choose.
>
> Agreed.

also agreed.  I'd love to see someone spec out how to encourage the use
of this more sensible workflow.

   --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP for official documents / eIDAS and ZertES

2017-05-31 Thread Rainer Hoerbe 
Hi Daniel,

The eIDAS regulation is replacing the national e-signature laws to make 
signatures (besides other other things) interoperable across borders. While the 
law is fairly technology-neutral, the implementation acts have to reference 
specific technologies, which are CMS, PDF- and XML signature, but not 
PGP-signature.

Beyond that, even if the EU would include PGP signatures, the technical 
interoperability would just be the beginning. There are quite heavy legal and 
organization layers on top of the technology that assure security levels, 
notification (mutual acceptance) and cooperation procedures. IMHU none of these 
exist in the PGP world.

- Rainer


> Am 31.05.2017 um 12:46 schrieb Stefan Claas :
> 
> 
> 
> Am 31.05.2017 um 12:18 schrieb Daniel Pocock:
>> 
>> Hi Stefan,
>> 
>> Thanks for sharing these.  Unfortunately my German skills are not great,
>> could you make any comment about those companies?
>> 
>> In particular,
>> 
>> - does a signature from either of these comply with eIDAS (and therefore
>> ZertES)?
>> 
>> - what effort is required to get the signature (e.g. somebody must come
>> to Germany?)
>> 
>> Regards,
>> 
>> Daniel
>> 
> Hi Daniel,
> 
> i'm not (yet) familar with eIDAS and can't answer that question.
> 
> For your second question. To obtain a sig3 from Governikus you need
> a german id-card an id-card card reader and the software AusweisApp2.
> 
> For a sig3 from the well known CT Magazin in Germany you have to show
> up at their booth (like CeBit Fair, Hannover Fair or Funkaustellung in
> Berlin) with your id-card and a filled out form (downloadable at their
> web site)
> 
> Regards
> Stefan
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users 
> 
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP for official documents / eIDAS and ZertES

2017-05-31 Thread Stefan Claas 



Am 31.05.2017 um 12:18 schrieb Daniel Pocock:


Hi Stefan,

Thanks for sharing these.  Unfortunately my German skills are not great,
could you make any comment about those companies?

In particular,

- does a signature from either of these comply with eIDAS (and therefore
ZertES)?

- what effort is required to get the signature (e.g. somebody must come
to Germany?)

Regards,

Daniel


Hi Daniel,

i'm not (yet) familar with eIDAS and can't answer that question.

For your second question. To obtain a sig3 from Governikus you need
a german id-card an id-card card reader and the software AusweisApp2.

For a sig3 from the well known CT Magazin in Germany you have to show
up at their booth (like CeBit Fair, Hannover Fair or Funkaustellung in
Berlin) with your id-card and a filled out form (downloadable at their
web site)

Regards
Stefan



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP for official documents / eIDAS and ZertES

2017-05-31 Thread Daniel Pocock 


On 30/05/17 22:17, Stefan Claas wrote:
> 
> 
> On 30.05.17 08:05, Daniel Pocock wrote:
>>
>> Does anybody know of certificate authorities who are willing to sign PGP
>> keys or has anybody ever looked into making that happen?
> Hi Daniel,
> 
> please check those two links:
> 
> https://pgp.governikus-eid.de/pgp/
> https://www.heise.de/security/dienste/PGP-Schluessel-der-c-t-CA-473386.html
> 

Hi Stefan,

Thanks for sharing these.  Unfortunately my German skills are not great,
could you make any comment about those companies?

In particular,

- does a signature from either of these comply with eIDAS (and therefore
ZertES)?

- what effort is required to get the signature (e.g. somebody must come
to Germany?)

Regards,

Daniel

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Obtaining sig2 and sig3 signatures

2017-05-31 Thread Stefan Claas 

Am 31.05.2017 um 03:43 schrieb Phil Pennock:

It's unfortunate really that the default is to make public attestations,
telling the world "trust me, this key belongs to this person" instead of
locally useful data and then, only once someone knows what they're
doing, offering them the option to act as a Notary Public
(German "Nurnotar" ?) if they so choose.



Agreed.

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Obtaining sig2 and sig3 signatures

2017-05-31 Thread Stefan Claas 

Am 31.05.2017 um 01:22 schrieb Damien Goutte-Gattat:


Hi,

On 05/30/2017 09:25 PM, Stefan Claas wrote:

The classical procedure would be to sign a key with a sig3 after seeing
the persons id-card in a real meeting. But who guarantees that the
id-card is not fake (if the person is a complete stranger)?


Well, no one. You rely on the ability of the signer to distinguish 
between a real ID-card and a fake ID-card. Of course, not everyone can 
spot a well-crafted fake ID (I certainly cannot).
I cannot  either, and that's why i like the mentioned german Governikus 
CA. To obtain a sig3 from them it requires
that you authenticate online with you id-card, an id-card reader and the 
german AusweisApp2 software.


Regards
Stefan



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Obtaining sig2 and sig3 signatures

2017-05-31 Thread Stefan Claas 



I don't recommend that anyone make a sig1, sig2, or sig3 for any
third-party certification (sig3 is fine for self-signatures, where the
keyholder asserts their own identity).

sig0 -- the default, generic certification -- is fine, does what people
need of it, and doesn't intentionally leak any more of the social graph
than it needs to.

Thank you! I will keep that in mind in case i sign somebody else's 
public key.


Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users