Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

Stefan Claas stefan.claas at posteo.de
Wed Jun 7 07:55:24 CEST 2017

On 07.06.17 00:04, MFPA wrote:

> On Tuesday 6 June 2017 at 5:07:18 PM, in
> <mid:4df4bdbf-bda1-9259-4e5b-621b650d4e39 at posteo.de>, Stefan Claas
> wrote:-
> > Therefore qualified CA's
> > in my opinion are mandatory where each user in each
> > country [may] register
> > with his/her id-card so that it's guaranteed that
> > Alice is not Eve.
> Assuming the users trust both the CA and the entity that issued the
> id-card.
Well, that's debatable. As an example:

My old pub-key had a sig3 from a well known german computer
magazine, which i believe a lot of people here in Germany would trust.
Their procedure was that you attend their booth at electronic fairs
show up with your id-card and a fillet out form, containing your data and
the pub key data. They carefully checked then the filled out form with
your id-card. So it's imo compareable with key signing parties you
attend. But who guarantees that an id-card is not fake with this
classical procedure?

My new pub-key bears a sig3 from a german CA which is run on
behalf of  our interior ministry. People may not trust our government
but the procedure how the pub-key was verified* tells me that the
sig3 issued to that person is correct.

*our new german id-card contains a chip and when you look at it
i would say this sort of modern id-card can not be faked.

The procedure went like this: I inserted my id-card in a certified
card reader, which i purchased, startet the german certified id-card
software "AusweisApp2" to connect to the CA Server and the server
checked my id-card online and after verification send the signed
pub-key to my email address. Can this procedure be faked by
criminals etc.? I doubt it.


More information about the Gnupg-users mailing list