Slightly OT - i need the proper wording for a signed document

[Dirk Gottschalk]

Am Donnerstag, den 01.11.2018, 17:42 +0100 schrieb Stefan Claas:
> On Thu, 01 Nov 2018 16:09:56 +0100, Dirk Gottschalk wrote:
> 
> Hi Dirk,
> 
> > Am Donnerstag, den 01.11.2018, 11:19 +0100 schrieb

> > The Problem is the implication of trust in governmental
> > organizations
> > per se in this case. But, far from this, there are other signature
> > providers who are trusted per default. AFAIK, Governikus is not
> > listed
> > in the standard CA packs, yet.  

> How could Governikus be listed, they are a PGP CA and not X.509, run
> on behalf by Germany's BSI ? 

Sorry, I messed uo Governikus with D-Trust (Bundesdruckerei).

> > > And this is the problem i have since 1994/95... For me signatures
> > > made with PGP / GnuPG have no weight, for several reasons, except
> > > those made from Governikus and maybe CT Magazine signed keys.    
> > 
> > Okay, that's yout thing. BUT, you may habe verified some of the
> > signers keys at your own, this would be the same as checking
> > against Governikus ,for example.  

> No, i don't think it is the same, or do you personally verify a X.509
> Root CA? I can only trust macOS or Windows with it's build in key
> store and the fingerprints on web sites from the CA's. Regarding
> Governikus in can check for the PGP fingerprint on one of their pages
> and must rely on proper operation of my BSI certified card reader,
> AusweisApp2 and of course of my nPA.

I verify certificates against their root. That's what happens
automatically. Surely I import the CA's if i need to.


> > > Here is a little example, of a .pdf i have signed with my
> > > qualified 
> > > signature:
> > > 
> > > https://keybase.pub/stefan_claas/docs/greetings.pdf    
> >   
> > > Linux users can verify my qualified signature here:    
> >   
> > > https://ec.europa.eu/cefdigital/DSS/webapp-demo    
> >   
> > > macOS oder Windows users can use the free Adobe Reader DC
> > > to do he same.    
> > 
> > Libreoffice can verify the signature also and some other tools.  

> I am not able to verify a qualified eIDAS conform X.509 sig, which
> i can create now, with LibreOffice, nor with other tools, except
> Adobe Reader DC or with the mentioned web site link. Have you or
> someone else actually tried to verify my greetings.pdf on my keybase
> page?

> If so i am really interested in the results from various tools!

Oh, you have also this issue? IO read about it in a Facebook group.
Libreoffice is complaining about a bad signature with Zertificates from
D-Trust even after importing the root. When you have the same problem,
they seem to be doing something that's not compliant to the standard.
Another Argument against using this cert, IMHO. All other certificates
work well in Libreoffice in my case. I don't have a D-Trust signed file
to check the problem. But I am interested in doing so, if I could get
such file.

PDFSign is another tool that could be tried.

> > > At list of TSP's (Trust Service Provider) can be seen here:
> > > https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html    
> >  
> > This is the real problem I have with the EU regulations. There are
> > regulations out there which are much better and have not such
> > expensive certification costs to become "qualified".  

> The sign-me service is currently free of charge and i expect once
> commercially available the costs for signing (frequently) a document
> there would be much lower than obtaining a qualified eIDAS conform
> certificate on a signature card, plus software and card reader costs.

I meant the cost for becoming a "qualified" CA.

> > [...]
> >   
> > > Thanks, much appreciated! I really like to see some more examples
> > > from native English speakers living in the U.S.    
> > 
> > Godd idea. I found some Policies regarding PGP, but nothing like
> > you
> > want to do. But I only did a quick search.  

> Same for me... and that is the reason why i started the discussion,
> to let people think about it.

I created a few policies in the past since my English is not bad. I'll
think about this and try to create something that could be a template
for a statement like you want it.

> > > I would like to omit the creation procedure or how the signing
> > > procedure works, because imho people from the PGP ecosystem
> > > should accept in the future qualified X.509 signatures.    
> > 
> > Not the whole procedure. But you should explain that this ist a
> > trustworthy signature provider sind Governikus is not yet listed as
> > a standard root CA.  

> That is the reason why i like to sign the .pdf, containing my key
> data, with a qualified eIDAS conform signature. The detached GnuPG
> sig should be an additional info, that matches the key data in the
> document. 

> > To state it clear. x.509 is a good standard and a good procedure. I
> > only think the "qualified" overrated in some situations. The
> > "qualified" is only really relevant in juristic context in Germany
> > or
> > in EU. And even then there are some exclamations where other rules
> > override this. I had a lawsuit one year ago that showed this
> > clearly.  

> I only came up with this, hopefully good, idea because a qualified
> and eIDAS conform signature will be, i strongly assume, the highest
> level in trustworthy signatures available, in the future. At least in
> Europe.

For x.509, where needed, I think this assumption is correct, at least
for communications with governmental or juristic institutions.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181101/1bb5256a/attachment.sig>