/* I don't know how to reply to a previous thread, which predates my joining on the list. That's why I'm starting a new one. */
I want to share my experience with that service, and have a general question or two regarding the web-of-trust model. First: I'm impressed. It (more or less) just works... ...with a GNU/Linux desktop. In Germany! ;) I would have not expected that, to be honest. (I have a german ID card (BPA) with the "ePA"-function enabled...) On an Arch GNU/Linux PC, using Firefox, and with the AusweisApp2 via flatpak, and an Android phone with the AusweisApp2 from the Google Play Store, the "remote access" -- using the phone as an NFC card reader -- just worked without issues. IF you just follow the instructions and read before you click... as always and often. Procedure is easy and fast-forward: start the AusweisApp2 on both devices; and start the remote access; goto the website and start the process; proof your identity with the ePA; upload your key; select a uid; get the mail. Repeat if you have more the one uid... Regarding the criticism from Andrew Gallagher on 1 Jun 2023, at 12:23: > This is not best practice. Normally when email verification is being performed, the gated action (such as certification, account creation etc.) is not done until after a (time-bound!) challenge/response succeeds. This places too much emphasis on verification of the (non-unique) “real name” component of the UserID, and not enough on the machine-readable email address. > > This opens up more fundamental questions about the meaning of signatures over RFC822 UserIDs - do they validate the “real name”, the email address, or some combination of the two? For example, an email-validating CA may only check the email address part, treating the “real name” as little more than a comment; while Governikus appear to be doing it the other way around. It is of course up to the receiver to decide how to interpret signatures, but it only compounds the problem when not only is the signer’s trustworthiness in question, but also their intent. How do you interpret the validity of a claim when it’s not even clear what the claim is? If a person, say "Max Mustermann", generates a PGP key with the uid "Max Mustermann <olaf.sch...@bundestag.de>"; yes I assume Governikus would still sign the key, because the Real Name corresponds, but isn't this signature totally worthless? Because: Max will probably never get the mail with the signature. And Olaf has now the signed public key, but he is missing the secret key. Or not? So is this really an /practical/ issue? (I want to exclude I'm do not overseeing, or missing something out.) Another related question: If we can attest, that the ePA is somehow secure and can not be forged, then the validation of the identity is pretty good, or not? /* At least it's far better then a passport validation done by unqualified personal. If I attend the cryptoparty at FOSDEM, I'm pretty sure I would not be able to tell if this Italian or French passport is real or not. */ And a last one: Why shouldn't I give Governikus (864E 8B95 1ECF C04A F2BB 233E 5E5C CCB4 A4BF 43D7) a trust-signature with a depth of 2, so I can trust signatures they made? I have not found such info or recommendation on their website, but the use-case is probably present? And btw: Are their any *public* OpenPGP CAs out their? (Not openpgp-ca.org which you can selfhost and stuff, but rather an entity checking and validating Person/ID/Key and so forth...) Thanks and greetings, Bernd _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users