OpenPGP key verification + legal framework

Dirk Gottschalk dirk.gottschalk1980 at
Tue Nov 6 19:33:06 CET 2018


Am Montag, den 05.11.2018, 21:47 +0200 schrieb Viktor:
> And we actually not sign keys. From two reasons:
> a. If you automatically trust the signing key, compromising the
> signing key breaks the entire system. b. In many countries,
> generating or signing cryptographic keys requires a license. We
> create a system that should work the same way and legally 
> in all countries. And we do not sign key certificates. We only attach
> to  them information about the owner of the key, which the user
> manually  checks before adding this certificate to his list of
> trusted certificates.

In the EU the use of "qualified" signature is mandatory if it comes to
legal issues. Between private companies it is okay to just use OpenPGP,
but, if it comes to legal issues, one party could deny the validity of
the signature because it is not accepted as a legal signature format,
at least in Germany.

We have the "qualified signature problem" here. In my Opinion a bad
solution, but, the EU is known to make more Bullsh*t as reasonable


Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Gnupg-users mailing list