Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

Stefan Claas stefan.claas at posteo.de
Wed Jun 7 10:43:16 CEST 2017

Am 07.06.2017 um 08:50 schrieb Andrew Gallagher:

>> On 7 Jun 2017, at 06:55, Stefan Claas <stefan.claas at posteo.de> wrote:
>> The procedure went like this: I inserted my id-card in a certified
>> card reader, which i purchased, startet the german certified id-card
>> software "AusweisApp2" to connect to the CA Server and the server
>> checked my id-card online and after verification send the signed
>> pub-key to my email address. Can this procedure be faked by
>> criminals etc.? I doubt it.
> Everything *can* be faked, given enough time, effort and/or money. The correct question is *would* criminals etc go to the necessary lengths to fake this procedure, and the answer (as always) is: it depends on what it's worth to them. :-)

I have no idea how much money is made worldwide by shady companies or
bad people and what techniques for that are used on the Internet. A
public-key certified by the the way i described, assuming GnuPG would
become an accepted world wide standard in the future for digital
signatures, with frontends for Joe user average, would be a way to dry
out bad businesses. The classic WoT or TOFU does not help in this case, imo.


More information about the Gnupg-users mailing list