Slightly OT - i need the proper wording for a signed document

Dirk Gottschalk dirk.gottschalk1980 at googlemail.com
Thu Nov 1 16:09:56 CET 2018


hi Stefan.

Am Donnerstag, den 01.11.2018, 11:19 +0100 schrieb
stefan.claas at posteo.de:
> Hi Dirk,

> > To answer your question, even if the answer is not what you
> > expected:

> I  expected something like this... ;-)
> 
> > I don't think this would change anything on the reputation on your
> > key.
> > I even don't think there is any good reason for the EU-Regulation
> > at
> > all. There is much taste of "get the citizens money for everything"
> > in
> > it. ^^

> I personally like that we have such EU regulation. And i understand
> that it costs money to build and maintain such infrastructure.

The Problem is the implication of trust in governmental organizations
per se in this case. But, far from this, there are other signature
providers who are trusted per default. AFAIK, Governikus is not listed
in the standard CA packs, yet.


> > The trust level for a key depends on the trust to the signature
> > which
> > are made for your key. There is no valid reason to trust
> > "Governikus"
> > or "D-Trust (Bundesdruckerei)" by default at all, especially for
> > people
> > in foreign countries. Even I don't do this.

> And this is the problem i have since 1994/95... For me signatures
> made with PGP / GnuPG have no weight, for several reasons, except
> those made from Governikus and maybe CT Magazine signed keys.

Okay, that's yout thing. BUT, you may habe verified some of the signers
keys at your own, this would be the same as checking against Governikus
,for example.

> Why? Can i, for example, trust fan signatures made by users on
> someones key which bears several hundred sigs and the key holder
> does not sign the signers keys? No, of course not. Call me stupid
> but even if Governikus would be run by the BND or NSA etc. i would
> trust the validity of such signed keys more than a signed key from
> "somebody" signed by other people i do not know. Due to the procedure
> Governikus uses i can be personally rest assured that the key belongs
> to the person which the key data states. The only thing GnuPG offers
> me with  signatures, not made with Governikus signed keys, is that if
> someone has tampered with a document the "signature" would be then no
> longer valid.

This is also the case with the PGP standard.


> Here is a little example, of a .pdf i have signed with my qualified 
> signature:
> 
> https://keybase.pub/stefan_claas/docs/greetings.pdf

> Linux users can verify my qualified signature here:

> https://ec.europa.eu/cefdigital/DSS/webapp-demo

> macOS oder Windows users can use the free Adobe Reader DC
> to do he same.

Libreoffice can verify the signature also and some other tools.


> At list of TSP's (Trust Service Provider) can be seen here:
> https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html
 
This is the real problem I have with the EU regulations. There are
regulations out there which are much better and have not such expensive
certification costs to become "qualified".

I would consider a x.509 cert as valid and trustworthy which is signed
by one of the well known CAs whith "extended verification". But that's
another discussion.


> I think PGP users should be more open to current available and
> accepted standards when it comes to digital signatures.

This isn't the Problem at alöl. X.509 is a really good standard. I use
it mysqld really often for signing PDFs or some other things. 


> > Best thing is to verify a key personally.

> Yes, in case of PGP / GnuPG when using the classical WoT procedure.

That's what i meant.

[...]

> Thanks, much appreciated! I really like to see some more examples
> from native English speakers living in the U.S.

Godd idea. I found some Policies regarding PGP, but nothing like you
want to do. But I only did a quick search.


> I would like to omit the creation procedure or how the signing
> procedure works, because imho people from the PGP ecosystem
> should accept in the future qualified X.509 signatures.

Not the whole procedure. But you should explain that this ist a
trustworthy signature provider sind Governikus is not yet listed as a
standard root CA.

To state it clear. x.509 is a good standard and a good procedure. I
only think the "qualified" overrated in some situations. The
"qualified" is only really relevant in juristic context in Germany or
in EU. And even then there are some exclamations where other rules
override this. I had a lawsuit one year ago that showed this clearly.

The combination of OpenPGP-Card and x.509 is, that should be said,
really a goof thing. I'm running my a CA for my customers and me, for
internal purposes, which means for data exchange between different
software and so on, and the keys are derived from PGP keys on Card.
GPGSM is a really nice solutions for such CSRs.I t only lacks the
ability of creating CRLs, otherwise it could be used as a CA too.

Okay, now I drifted completely off of your topic. I'm Sorry.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181101/e541c2c9/attachment.sig>


More information about the Gnupg-users mailing list