[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-users
Subject: Re: get OpenPGP pubkeys authenticated using German personal ID
From: Andrew Gallagher via Gnupg-users <gnupg-users () gnupg ! org>
Date: 2023-06-01 13:19:29
Message-ID: B8A0A419-4AAE-4939-9632-A228B73B91BC () andrewg ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/alternative)]
On 1 Jun 2023, at 12:23, Alexander Leidinger via Gnupg-users <gnupg-users@gnupg.org> \
wrote:
>
> Quoting Bernhard Reiter <bernhard@intevation.de <mailto:bernhard@intevation.de>> \
> (from Wed, 31 May 2023 16:55:05 +0200):
> > Obviously they cannot authenticate the email address
> > so once I have a common name, we get collisions?
>
> The signature is send to the email listed in the key. In case you share a name with \
> someone which has a PGP key and you sign this key, the person(s) with access to \
> that email account will get the signature.
This is not best practice. Normally when email verification is being performed, the \
gated action (such as certification, account creation etc.) is not done until after a \
(time-bound!) challenge/response succeeds. This places too much emphasis on \
verification of the (non-unique) "real name" component of the UserID, and not enough \
on the machine-readable email address.
This opens up more fundamental questions about the meaning of signatures over RFC822 \
UserIDs - do they validate the "real name", the email address, or some combination of \
the two? For example, an email-validating CA may only check the email address part, \
treating the "real name" as little more than a comment; while Governikus appear to be \
doing it the other way around. It is of course up to the receiver to decide how to \
interpret signatures, but it only compounds the problem when not only is the signer's \
trustworthiness in question, but also their intent. How do you interpret the validity \
of a claim when it's not even clear what the claim is?
A
[Attachment #7 (unknown)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: \
space; line-break: after-white-space;">On 1 Jun 2023, at 12:23, Alexander Leidinger \
via Gnupg-users <gnupg-users@gnupg.org> wrote:<br><div><blockquote \
type="cite"><div><div class="content-isolator__container" style="caret-color: rgb(0, \
0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: \
0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div \
class="protected-part"><div class="protected-title"><br></div><div \
class="protected-content">Quoting Bernhard Reiter <<a \
href="mailto:bernhard@intevation.de">bernhard@intevation.de</a>> (from Wed, 31 May \
2023 16:55:05 +0200):<br><br><blockquote type="cite">Obviously they cannot \
authenticate the email address<br>so once I have a common name, we get \
collisions?<br></blockquote><br>The signature is send to the email listed in the key. \
In case you share a name with someone which has a PGP key and you sign this key, the \
person(s) with access to that email account will get the \
signature.</div></div></div></div></blockquote><br></div><div>This is not best \
practice. Normally when email verification is being performed, the gated action (such \
as certification, account creation etc.) is not done until after a (time-bound!) \
challenge/response succeeds. This places too much emphasis on verification of the \
(non-unique) "real name" component of the UserID, and not enough on the \
machine-readable email address.</div><div><br></div><div>This opens up more \
fundamental questions about the meaning of signatures over RFC822 UserIDs - do they \
validate the "real name", the email address, or some combination of the two? For \
example, an email-validating CA may only check the email address part, treating the \
"real name" as little more than a comment; while Governikus appear to be doing it the \
other way around. It is of course up to the receiver to decide how to interpret \
signatures, but it only compounds the problem when not only is the signer's \
trustworthiness in question, but also their intent. How do you interpret the validity \
of a claim when it's not even clear what the claim \
is?</div><div><br></div><div>A</div><div><br></div></body></html>
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEKR55odxVrielLu+DXB7EBNWQZikFAmR4muEACgkQXB7EBNWQ
Zil3BxAAlQr/8b5VZgM2BjSwv6K1MQ3Xb5w6mC1Mj0tjoXukL+Mqbbat1apFWeyX
E9pqivx5n3ZWEHBhgqZ4HXE28Vkf8pTMkeqJ426RKXVyZ7SegfatiYxd+Dc9dkbu
kFLY1P5ENqGsq+QxZCA2oVEN853krMdtOPrVyHIObKnc1oI1So3SeEZcM9K9KV0r
nB+3x8obwwmQrqDWoGwVQ8u6ccn8dFWM1W7MXYivHMDzqeudZH+kvCFwu4DSasPv
3wzMpoMBYqwgqRGJY9gSYPn1D/3r/upLT8asAhxTw0KUMINJPMMB8YTBwqep6OdT
1XRv2FtV+gYVzS5QXFVo5eS11gUcUvQ4ApbXR2f7Xge2SpBZ/F0Qz1iCNftmPFCN
3M0/0Puou4P360rm4CuHU+c2vfeuaDGLS6yYLBreWdKiKI3D13EsZWM82BIt6hFL
uM+uqEC6YOvVLN+9V1BXHbYGMUgcTf5BSsQJfREIYNowoyuDPL0wWdUplkqBPT/v
8szdT4oiI37RzWxQVp6lExCFjQBHha9v0J5rNpr2jDgWMKi2VOKONzfIQGoQNTKT
bbbdYvSWO/5z6rrFSMHXkjbQmo+EgJ1n6QDJFIFGiGbWWss46RSDUv/jD1nSmzjG
Q3sRyDe/haXGMayXifegjVXLtzssyEcPyejQaZjlMsMnQnu85cQ=
=gOYW
-----END PGP SIGNATURE-----
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic