get OpenPGP pubkeys authenticated using German personal ID

Alexander Leidinger Alexander at
Fri Jun 2 07:55:24 CEST 2023

  Quoting Andrew Gallagher <andrewg at> (from Thu, 1 Jun 2023  
14:19:29 +0100):

> On 1 Jun 2023, at 12:23, Alexander Leidinger via Gnupg-users  
> <gnupg-users at> wrote:
>>        Quoting Bernhard Reiter <bernhard at> (from Wed,  
>> 31 May 2023 16:55:05 +0200):
>>> Obviously they cannot authenticate the email address
>>> so once I have a common name, we get collisions?
>> The signature is send to the email listed in the key. In case you  
>> share a name with someone which has a PGP key and you sign this  
>> key, the person(s) with access to that email account will get the  
>> signature.
>   This is not best practice. Normally when email verification is  
> being performed, the gated action (such as certification, account  
> creation etc.) is not done until after a (time-bound!)  
> challenge/response succeeds. This places too much emphasis on  
> verification of the (non-unique) “real name” component of the  
> UserID, and not enough on the machine-readable email address.
>   This opens up more fundamental questions about the meaning of  
> signatures over RFC822 UserIDs - do they validate the “real name”,  
> the email address, or some combination of the two? For example, an  
> email-validating CA may only check the email address part, treating  
> the “real name” as little more than a comment; while Governikus  
> appear to be doing it the other way around. It is of course up to  
> the receiver to decide how to interpret signatures, but it only  
> compounds the problem when not only is the signer’s trustworthiness  
> in question, but also their intent. How do you interpret the  
> validity of a claim when it’s not even clear what the claim is?

I don't remember if there was a challenge/response or not. As I still  
have the email with the signed key, I can tell that the signature can  
arrive via a TLS encrypted SMTP channel directly from governicus (and  
they have a SPF setup but not DKIM):
Received: from ( [])  
  (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)    
key-exchange X25519 server-signature ECDSA (P-256) server-digest  
SHA256   client-signature RSA-PSS (4096 bits) client-digest SHA256)   
(Client CN "", Issuer  
"" (not verified))---snip---

-- Alexander at PGP 0x8F31830F9F2772BF    netchild at  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <>

More information about the Gnupg-users mailing list