On Sun, Oct 24, 2021 at 6:53 PM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Sun, 24 Oct 2021 08:38:06 -0400 Karl <gmkarl@gmail.com> wrote:
these contain signatures via a newer pgp key coderman's been emailing;
what makes you think that stuff signed by 'coderman' has any validity at all?
Correct, the only way currently in the OpenPGP ecosystem, is for users in Germany, with a German ID-card, containing a chip, and a secure mechanism, to prove that this public key belongs to this person. And when the key pair is directly burned on a YubiKey or Nitrokey the private key can't be stolen, when used on a compromised online device. Probably the most secure way, but it still cannot guaranty that I did the signature when I supply a warrant canary and I am already dead and someone is in possession of my (valid) ID-card and YubiKey+ credentials. Regards Stefan