Re: get OpenPGP pubkeys authenticated using German personal ID

2023-06-01 Thread Alexander Leidinger via Gnupg-users 
 Quoting Andrew Gallagher  (from Thu, 1 Jun 2023  
14:19:29 +0100):


On 1 Jun 2023, at 12:23, Alexander Leidinger via Gnupg-users  
 wrote:



 
   Quoting Bernhard Reiter  (from Wed,  
31 May 2023 16:55:05 +0200):



Obviously they cannot authenticate the email address
so once I have a common name, we get collisions?


The signature is send to the email listed in the key. In case you  
share a name with someone which has a PGP key and you sign this  
key, the person(s) with access to that email account will get the  
signature.


  This is not best practice. Normally when email verification is  
being performed, the gated action (such as certification, account  
creation etc.) is not done until after a (time-bound!)  
challenge/response succeeds. This places too much emphasis on  
verification of the (non-unique) “real name” component of the  
UserID, and not enough on the machine-readable email address.

   
  This opens up more fundamental questions about the meaning of  
signatures over RFC822 UserIDs - do they validate the “real name”,  
the email address, or some combination of the two? For example, an  
email-validating CA may only check the email address part, treating  
the “real name” as little more than a comment; while Governikus  
appear to be doing it the other way around. It is of course up to  
the receiver to decide how to interpret signatures, but it only  
compounds the problem when not only is the signer’s trustworthiness  
in question, but also their intent. How do you interpret the  
validity of a claim when it’s not even clear what the claim is?

   


I don't remember if there was a challenge/response or not. As I still  
have the email with the signed key, I can tell that the signature can  
arrive via a TLS encrypted SMTP channel directly from governicus (and  
they have a SPF setup but not DKIM):

---snip---
Received: from smtp.governikus.de (smtp.governikus.de [194.31.70.126])  
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-256) server-digest  
SHA256   client-signature RSA-PSS (4096 bits) client-digest SHA256)   
(Client CN "VPR-BOS004.dmz.bosnetz.de", Issuer  
"VPR-BOS004.dmz.bosnetz.de" (not verified))---snip---


Bye,
Alexander.
--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


pgpnfVBrpqfZH.pgp
Description: Digitale PGP-Signatur
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: get OpenPGP pubkeys authenticated using German personal ID

2023-06-01 Thread Andrew Gallagher via Gnupg-users 
On 1 Jun 2023, at 15:50, Johan Wevers via Gnupg-users  
wrote:
> 
> On 2023-05-31 16:55, Bernhard Reiter wrote:
> 
>> Governikus provides the online service for authenticating your OpenPGP key on
>> behalf of the German Federal Office for Information Security (BSI). This
>> online service compares the name read from your ID card, your electronic
>> residence permit or eID card for citizens of the European Union with the name
>> specified in your OpenPGP key. If the names match, your public key is
>> electronically signed by Governikus, confirming the match.
> 
> Considering the persistent attempts of the EU to scan all encrypted
> communication, would you think it is wise to prove to one of the
> governments pushing this which key is yours? GnuPG encrypted mail can be
> analyzed to see what the receiver's keyID is so using such a key with
> another mail address would inform any snooper that it is yours.

If you want to maintain two separate online identities, and keep that linkage 
secret from your government, using the same encryption key for both is pretty 
high up the list of very bad ideas.

A



signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: get OpenPGP pubkeys authenticated using German personal ID

2023-06-01 Thread Johan Wevers via Gnupg-users 
On 2023-05-31 16:55, Bernhard Reiter wrote:

> Governikus provides the online service for authenticating your OpenPGP key on 
> behalf of the German Federal Office for Information Security (BSI). This 
> online service compares the name read from your ID card, your electronic 
> residence permit or eID card for citizens of the European Union with the name 
> specified in your OpenPGP key. If the names match, your public key is 
> electronically signed by Governikus, confirming the match. 

Considering the persistent attempts of the EU to scan all encrypted
communication, would you think it is wise to prove to one of the
governments pushing this which key is yours? GnuPG encrypted mail can be
analyzed to see what the receiver's keyID is so using such a key with
another mail address would inform any snooper that it is yours.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: get OpenPGP pubkeys authenticated using German personal ID

2023-06-01 Thread Andrew Gallagher via Gnupg-users 
On 1 Jun 2023, at 12:23, Alexander Leidinger via Gnupg-users 
 wrote:
> 
> Quoting Bernhard Reiter  > (from Wed, 31 May 2023 16:55:05 +0200):
> 
>> Obviously they cannot authenticate the email address
>> so once I have a common name, we get collisions?
> 
> The signature is send to the email listed in the key. In case you share a 
> name with someone which has a PGP key and you sign this key, the person(s) 
> with access to that email account will get the signature.

This is not best practice. Normally when email verification is being performed, 
the gated action (such as certification, account creation etc.) is not done 
until after a (time-bound!) challenge/response succeeds. This places too much 
emphasis on verification of the (non-unique) “real name” component of the 
UserID, and not enough on the machine-readable email address.

This opens up more fundamental questions about the meaning of signatures over 
RFC822 UserIDs - do they validate the “real name”, the email address, or some 
combination of the two? For example, an email-validating CA may only check the 
email address part, treating the “real name” as little more than a comment; 
while Governikus appear to be doing it the other way around. It is of course up 
to the receiver to decide how to interpret signatures, but it only compounds 
the problem when not only is the signer’s trustworthiness in question, but also 
their intent. How do you interpret the validity of a claim when it’s not even 
clear what the claim is?

A



signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: get OpenPGP pubkeys authenticated using German personal ID

2023-06-01 Thread Alexander Leidinger via Gnupg-users 


Quoting Bernhard Reiter  (from Wed, 31 May  
2023 16:55:05 +0200):



https://pgp.governikus.de/?lang=EN

"""
Governikus provides the online service for authenticating your OpenPGP key on
behalf of the German Federal Office for Information Security (BSI). This
online service compares the name read from your ID card, your electronic
residence permit or eID card for citizens of the European Union with the name
specified in your OpenPGP key. If the names match, your public key is
electronically signed by Governikus, confirming the match.
"""

interesting, kind of cool.

Obviously they cannot authenticate the email address
so once I have a common name, we get collisions?


The signature is send to the email listed in the key. In case you  
share a name with someone which has a PGP key and you sign this key,  
the person(s) with access to that email account will get the signature.


Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


pgpefwKw5NZdn.pgp
Description: Digitale PGP-Signatur
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG for OS X 2.4.2

2023-06-01 Thread Ralph Seichter via Gnupg-users 
GnuPG for OS X / macOS release 2.4.2 is now available for download via
https://sourceforge.net/p/gpgosx/docu/Download/ . This release also
includes updates for several library dependencies.

The disk image signature key is available via public keyservers, and it
can also be downloaded from https://www.seichter.de/pgp/gpgosx-signing.asc .

  pub ed25519/FD56297D9833FF7F 2022-07-07 [SC] [expires: 2027-07-06]
 Key fingerprint = EAB0 FE4F F793 D9E7 028E  C8E2 FD56 297D 9833 FF7F
  uid [ultimate] Ralph Seichter (GnuPG for OS X signing key)

GnuPG 2.4.x is installed in /usr/local/gnupg-2.4 instead of the formerly
hardcoded directory /usr/local/gnupg-2.2. This enables installing both
stable and LTS releases of GnuPG for OS X side by side, for advanced
users' needs.

The one caveat is that the latest installation will replace existing
soft links in /usr/local/{bin,lib}. Please use absolute paths like
/usr/local/gnupg-2.2/bin/gpg2 if necessary. Enjoy.

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users