Slightly OT - i need the proper wording for a signed document

stefan.claas at posteo.de stefan.claas at posteo.de
Thu Nov 1 11:19:52 CET 2018


Hi Dirk,

> To answer your question, even if the answer is not what you expected:

I  expected something like this... ;-)

> I don't think this would change anything on the reputation on your key.
> I even don't think there is any good reason for the EU-Regulation at
> all. There is much taste of "get the citizens money for everything" in
> it. ^^

I personally like that we have such EU regulation. And i understand
that it costs money to build and maintain such infrastructure.

> The trust level for a key depends on the trust to the signature which
> are made for your key. There is no valid reason to trust "Governikus"
> or "D-Trust (Bundesdruckerei)" by default at all, especially for people
> in foreign countries. Even I don't do this.

And this is the problem i have since 1994/95... For me signatures
made with PGP / GnuPG have no weight, for several reasons, except
those made from Governikus and maybe CT Magazine signed keys.

Why? Can i, for example, trust fan signatures made by users on
someones key which bears several hundred sigs and the key holder
does not sign the signers keys? No, of course not. Call me stupid
but even if Governikus would be run by the BND or NSA etc. i would trust
the validity of such signed keys more than a signed key from "somebody"
signed by other people i do not know. Due to the procedure Governikus
uses i can be personally rest assured that the key belongs to the person
which the key data states. The only thing GnuPG offers me with 
signatures,
not made with Governikus signed keys, is that if someone has tampered
with a document the "signature" would be then no longer valid.

Here is a little example, of a .pdf i have signed with my qualified 
signature:

https://keybase.pub/stefan_claas/docs/greetings.pdf

Linux users can verify my qualified signature here:

https://ec.europa.eu/cefdigital/DSS/webapp-demo

macOS oder Windows users can use the free Adobe Reader DC
to do he same.

At list of TSP's (Trust Service Provider) can be seen here:

https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html

I think PGP users should be more open to current available and accepted
standards when it comes to digital signatures.


> Best thing is to verify a key personally.

Yes, in case of PGP / GnuPG when using the classical WoT procedure.

> I would create a file which describes how your key was verified before
> signing and the data FPR and UID of your gnupg key, sign this with your
> x.509 and create a detached signature with gnupg. Needles to say that
> you should use the key mentioned in the PDF.
> 
> The wording should not be difficult itself. Something like:
> ----
> The OpenPGP key
> 
> 	key data
> 
> is signed by Governikus.....
> <verification procedure...>
> 
> <X.509 cert data> ... signed by ...
> ----

Thanks, much appreciated! I really like to see some more examples from
native English speakers living in the U.S.

I would like to omit the creation procedure or how the signing
procedure works, because imho people from the PGP ecosystem
should accept in the future qualified X.509 signatures.

Regards
Stefan




More information about the Gnupg-users mailing list