get OpenPGP pubkeys authenticated using German personal ID

Andrew Gallagher andrewg at andrewg.com
Tue Jun 6 13:20:07 CEST 2023


On 3 Jun 2023, at 01:56, Jacob Bachmeyer <jcb62281 at gmail.com> wrote:
> 
> Alexander Leidinger via Gnupg-users wrote:
>> [...]
>> 
>> I don't remember if there was a challenge/response or not. As I still have the email with the signed key, I can tell that the signature can arrive via a TLS encrypted SMTP channel directly from governicus (and they have a SPF setup but not DKIM):
>> ---snip---
>> 
>> Received: from smtp.governikus.de (smtp.governikus.de [194.31.70.126])
>> (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
>>  key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
>>  client-signature RSA-PSS (4096 bits) client-digest SHA256)
>> (Client CN "VPR-BOS004.dmz.bosnetz.de", Issuer "VPR-BOS004.dmz.bosnetz.de" (not verified))
>> 
>> ---snip---
>> 
> 
> Am I misreading that header or does Governikus' outgoing SMTP have a self-signed client certificate for 'VPR-BOS004.dmz.bosnetz.de'?  That does not inspire confidence…


I wouldn’t read too much into this. The client cert here is probably used for internal purposes, and their MXes may be configured to offer their client certs by default - external sites won’t check it anyway, so no harm done.

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230606/6bb3bb81/attachment.sig>


More information about the Gnupg-users mailing list