ping - Governikus

Stefan Claas spam.trap.mailing.lists at
Tue Nov 3 17:44:08 CET 2020

On Tue, Nov 3, 2020 at 12:10 AM Andrew Gallagher <andrewg at> wrote:
> > On 2 Nov 2020, at 19:55, Stefan Claas <spam.trap.mailing.lists at> wrote:
> >
> > On Mon, Nov 2, 2020 at 7:12 PM Stefan Claas
> > <spam.trap.mailing.lists at> wrote:
> >
> >> I think a solution to this problem could be PBKDF2 hashed data
> >> in the UID, but developing an OpenPGP certifying workflow could
> >> be a bit tricky.
> >>
> >>
> >
> > To be more precise, the name 'Stefan Claas' would be still readable in the
> > UID but the additional hashed data would be displayed as a hash, like in
> > the code example and it would have hashed additional data from my ID-card.
> >
> > Because the other Stefan Claas would not have the same hash string in the
> > UID this could be a working solution.
> Aha, so what you’re looking for is a signature over a nonced, hashed ID but without the       plaintext ID being attached - in which case do you even need the plaintext “real name” at all? After all, if there are only two Stefan Claases in Germany you’ve already leaked far too much information for the subterfuge to be worth the effort. What’s the use case?

As we know OpenPGP compatible public key cryptography usually requires
a UID, whether
the ones we are used to or a freeform UID. My goal is to have a CA
certified pubkey with
only one UID and without an email address, so that the key pair can be
universally been
used, besides classic email, ie. Fax, Telephone, Radio, Blog post
discussions, Bitmessage, File Transfer, Postcards, Letters, Social
Media chats, Messengers and what not which all do not require an email
address. In case of email it should be possible to use it for multiple
email accounts or if email accounts change, to not edit the key or
create a new key. Simply said, a certified multipurpose OpenPGP key
for long term usage.

Why the included Name and hash string? GnuPG users, I assume, are used
to public keys including a name in the UID, for their keyring
management and selecting keys with
their MUA/NUA plug-ins.

Since we mentioned that it can happen that many people bear the same
name I thought/think
it could be useful for certifying purposes that an additional hash
string, composed from additional  ID-card data, which can't be easily
reversed, would be useful.

Let's assume the following ... In case would expand their
business and would also
run a CA, I could simply send them per postal mail a CD, containing my
pub key, with my
name and the hash string and a photo of my ID-card. They simply could
then compare the
name on the key and photo plus in case of many Stefan Claases they
could also verify the
hash string by rehashing the data which I hashed from my ID-card, thus
guaranteeing to third parties with their CA sig. that this universal
public key, without an email address, belongs to
me and not the other Stefan Claas. In case this would be not enough
proof for the CA I could include on the CD an additional eIDAS signed
.pdf document, including the fingerprint of my pub  key.

I also think that maybe many people would like to have a CA certified
universal OpenPGP public key, without an email address.


More information about the Gnupg-users mailing list