Slightly OT - i need the proper wording for a signed document

Stefan Claas stefan.claas at posteo.de
Thu Nov 1 17:42:41 CET 2018


On Thu, 01 Nov 2018 16:09:56 +0100, Dirk Gottschalk wrote:

Hi Dirk,

> Am Donnerstag, den 01.11.2018, 11:19 +0100 schrieb
> stefan.claas at posteo.de:  
> > Hi Dirk,    

> > I personally like that we have such EU regulation. And i understand
> > that it costs money to build and maintain such infrastructure.    
> 
> The Problem is the implication of trust in governmental organizations
> per se in this case. But, far from this, there are other signature
> providers who are trusted per default. AFAIK, Governikus is not listed
> in the standard CA packs, yet.  

How could Governikus be listed, they are a PGP CA and not X.509, run on
behalf by Germany's BSI ? 

> > And this is the problem i have since 1994/95... For me signatures
> > made with PGP / GnuPG have no weight, for several reasons, except
> > those made from Governikus and maybe CT Magazine signed keys.    
> 
> Okay, that's yout thing. BUT, you may habe verified some of the
> signers keys at your own, this would be the same as checking against
> Governikus ,for example.  

No, i don't think it is the same, or do you personally verify a X.509
Root CA? I can only trust macOS or Windows with it's build in key store
and the fingerprints on web sites from the CA's. Regarding Governikus
in can check for the PGP fingerprint on one of their pages and must rely
on proper operation of my BSI certified card reader, AusweisApp2 and of
course of my nPA.

> > Here is a little example, of a .pdf i have signed with my qualified 
> > signature:
> > 
> > https://keybase.pub/stefan_claas/docs/greetings.pdf    
>   
> > Linux users can verify my qualified signature here:    
>   
> > https://ec.europa.eu/cefdigital/DSS/webapp-demo    
>   
> > macOS oder Windows users can use the free Adobe Reader DC
> > to do he same.    
> 
> Libreoffice can verify the signature also and some other tools.  

I am not able to verify a qualified eIDAS conform X.509 sig, which
i can create now, with LibreOffice, nor with other tools, except Adobe
Reader DC or with the mentioned web site link. Have you or someone
else actually tried to verify my greetings.pdf on my keybase page?

If so i am really interested in the results from various tools!

> > At list of TSP's (Trust Service Provider) can be seen here:
> > https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html    
>  
> This is the real problem I have with the EU regulations. There are
> regulations out there which are much better and have not such
> expensive certification costs to become "qualified".  

The sign-me service is currently free of charge and i expect once
commercially available the costs for signing (frequently) a document
there would be much lower than obtaining a qualified eIDAS conform
certificate on a signature card, plus software and card reader costs.

> [...]
>   
> > Thanks, much appreciated! I really like to see some more examples
> > from native English speakers living in the U.S.    
> 
> Godd idea. I found some Policies regarding PGP, but nothing like you
> want to do. But I only did a quick search.  

Same for me... and that is the reason why i started the discussion, to
let people think about it.

> > I would like to omit the creation procedure or how the signing
> > procedure works, because imho people from the PGP ecosystem
> > should accept in the future qualified X.509 signatures.    
> 
> Not the whole procedure. But you should explain that this ist a
> trustworthy signature provider sind Governikus is not yet listed as a
> standard root CA.  

That is the reason why i like to sign the .pdf, containing my key data,
with a qualified eIDAS conform signature. The detached GnuPG sig should
be an additional info, that matches the key data in the document. 

> To state it clear. x.509 is a good standard and a good procedure. I
> only think the "qualified" overrated in some situations. The
> "qualified" is only really relevant in juristic context in Germany or
> in EU. And even then there are some exclamations where other rules
> override this. I had a lawsuit one year ago that showed this clearly.  

I only came up with this, hopefully good, idea because a qualified and
eIDAS conform signature will be, i strongly assume, the highest level
in trustworthy  signatures available, in the future. At least in Europe.

Regards
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181101/89554a7b/attachment-0001.sig>


More information about the Gnupg-users mailing list