Houston, we have a problem

Stefan Claas stefan.claas at posteo.de
Thu Sep 21 23:06:21 CEST 2017


On Thu, 21 Sep 2017 22:38:06 +0200, Ralph Seichter wrote:
> On 21.09.17 22:11, Stefan Claas wrote:
> 
> > > You can only ever be certain of a signature if you have personally
> > > verified the signing key and the signer's identity.  
> >
> > Well, call me a stupid Mac dummie, but how in the world could GnuPG
> > users , living in different areas verify that?  
> 
> They can't. That's one of the reasons the "web of trust" is a tricky
> concept. Among all of the people I know to use PGP, I trust only two
> to verify both key fingerprints and identities as thoroughly as I do.
> That means I usually have to jump through hoops to verify stuff
> myself, and that only works for people I have personally met (and
> checked their Personalausweis or what have you). My web of trust is
> almost non-existent. Yours might be extensive. It all depends on what
> you verify yourself and who else you trust to verify. As Robert
> wrote, you seem to keep rehashing the same issue, and an old one at
> that.

Thank you for your detailed point of view.

> > https://pgp.governikus-eid.de/pgp/  
> 
> You mean there are people who actually use Online-PA, and trust the
> BSI on top of that? You're kidding, right? ;-) I neither care nor
> trust what Governikus signs. I've been providing IT security services
> for decades, and find it extremely hard to trust others in this
> field, based on my own experience.

Well, i used once their service to obtain a sig3. I think under normal
circumstances this would be a better idea to check if a Personalausweis
is valid or fake, assuming GnuPG Signatures could be used in the future
for online business, because then "carefully" crafted WoT signatures
would have imho no weight in the business world.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas



More information about the Gnupg-users mailing list