keys.openpgp.org not sending confirmation email

Binarus lists at binarus.de
Wed Sep 18 09:10:53 CEST 2019



On 17.09.2019 21:58, Stefan Claas via Gnupg-users wrote:
> Binarus wrote:
> 
>> Actually, I currently don't know anybody who I could ask to sign my
>> keys, and furthermore, the problem is bigger the other way around. Can I
>> trust the key which I found on the key server for the intended
>> recipient's email address? Can I at least be sure that the key server
>> has sent a confirmation email to that email address and has received the
>> answer? Or has it failed to do so due to a malformed email address, but
>> finds that address nevertheless because it performs a full-text search
>> against the key IDs?
> 
> If you would use your real name in your UID you could let Governikus
> certify your key. Governikus is a German CA run on behalf by the BSI.
> 
> For that you will need a (certified) ID-card reader and AusweisApp2.
> 
> https://pgp.governikus.de/pgp/

Thank you very much for that hint. That might be a solution for German
citizens, and probably the citizens of a few other European countries.

However, I see several problems:

- People just refuse spending money or precious desk space on chip card
readers. The best proof is the nonsense the German banks are currently
doing to implement PSD2. I do not know anybody who has bought a chip
card reader. Instead, everybody installs a TAN generator app (one for
each bank) on the very same smart phone where the actual banking apps
are running, which undoubtedly decreases security.

- While I have no problem with one-time investments (chip card reader),
my red line are regular payments. From a first quick look at the website
you mentioned, I got the impression that the certification is currently
free of charge. However, at a first glance, I couldn't find out how long
a certification is valid, and experience tells me that they will begin
to charge a substantial amount of money every year or so to refresh the
certifications as soon as more than an infinitesimal number of people
use them.

- After the incidents at the web (SSL) CAs (Symantec, DigiNotar and so
on), I do not trust any centralized certification any more, even if
those incidents happened some years ago.

By the way, when clicking "Öffentlicher Schlüssel für die Beglaubigung"
in the menu at the page bottom of https://pgp.governikus.de/pgp/, you
currently just get an error page ("Es konnte leider nichts gefunden
werden"). This for sure is the best way to generate trust ... Probably
it's exactly what you should expect from a company which acts on behalf
of German government.

- The most important aspect is that I just can't force an addressee of a
private message to get that certification. The addressee might live in
another country where such certification is not available, or he might
refuse to buy a card reader or to get the certification for other
reasons. I don't have any figures (hopefully somebody else has), but I
suppose that no more than 5% of PGP users have a chip card reader.

In contrast, the email verification system for keys is by far less
secure than the Governikus certification, but it is already available,
works in every country and provides at least some level of security
which is by far better than nothing. It just needs to be supported by
making implementation easier, which primarily means eliminating the
ambiguities when deciding what is an email address in the key IDs, which
in turn means making dedicated addr entries mandatory and forbidding to
treat anything outside these entries as an email address; all of this
could be achieved with some small changes of the key ID convention /
specification, which additionally would make parsing the key ID by key
servers much more easy, less error-prone and reproducible.

> Regarding the other questions, it would be IMHO really nice if we
> would have internationally more CAs for GnuPG users, thus one must
> not rely on the classical WoT signatures.

As long as these CAs don't charge money, I totally agree with you
(although I am mistrustful towards CAs as I stated above).

Finally, I've got a question (no criticism, really just a question
because I have absolutely no experience with AusweisApp and the like):

You have stated that my real name must be in the key ID if I would like
to have the key certified by Governikus. Does the key ID need to have
other personal data in it? After all, as an example, there for sure are
at least 1000 people in Germany whose name is "Peter Meier" (which is
the reason why I personally will always use the email address (instead
of the name) as the criterion when searching for a public key). If there
is other personal data in the ID (like the address), what happens when
people relocate?

Regards, and thank you very much,

Binarus



More information about the Gnupg-users mailing list