get OpenPGP pubkeys authenticated using German personal ID

Alexander Leidinger Alexander at leidinger.net
Fri Jun 2 07:55:24 CEST 2023 

  Quoting Andrew Gallagher <andrewg at andrewg.com> (from Thu, 1 Jun 2023  
14:19:29 +0100):

> On 1 Jun 2023, at 12:23, Alexander Leidinger via Gnupg-users  
> <gnupg-users at gnupg.org> wrote:
>
>>  
>>        Quoting Bernhard Reiter <bernhard at intevation.de> (from Wed,  
>> 31 May 2023 16:55:05 +0200):
>>
>>> Obviously they cannot authenticate the email address
>>> so once I have a common name, we get collisions?
>>
>> The signature is send to the email listed in the key. In case you  
>> share a name with someone which has a PGP key and you sign this  
>> key, the person(s) with access to that email account will get the  
>> signature.
>
>   This is not best practice. Normally when email verification is  
> being performed, the gated action (such as certification, account  
> creation etc.) is not done until after a (time-bound!)  
> challenge/response succeeds. This places too much emphasis on  
> verification of the (non-unique) “real name” component of the  
> UserID, and not enough on the machine-readable email address.
>    
>   This opens up more fundamental questions about the meaning of  
> signatures over RFC822 UserIDs - do they validate the “real name”,  
> the email address, or some combination of the two? For example, an  
> email-validating CA may only check the email address part, treating  
> the “real name” as little more than a comment; while Governikus  
> appear to be doing it the other way around. It is of course up to  
> the receiver to decide how to interpret signatures, but it only  
> compounds the problem when not only is the signer’s trustworthiness  
> in question, but also their intent. How do you interpret the  
> validity of a claim when it’s not even clear what the claim is?
>    

I don't remember if there was a challenge/response or not. As I still  
have the email with the signed key, I can tell that the signature can  
arrive via a TLS encrypted SMTP channel directly from governicus (and  
they have a SPF setup but not DKIM):
---snip---
Received: from smtp.governikus.de (smtp.governikus.de [194.31.70.126])  
  (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)    
key-exchange X25519 server-signature ECDSA (P-256) server-digest  
SHA256   client-signature RSA-PSS (4096 bits) client-digest SHA256)   
(Client CN "VPR-BOS004.dmz.bosnetz.de", Issuer  
"VPR-BOS004.dmz.bosnetz.de" (not verified))---snip---

Bye,
Alexander.
-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230602/2c888b95/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230602/2c888b95/attachment-0001.sig>

More information about the Gnupg-users mailing list