On 10/24/21, Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
Hi Karl,
If people would make it a habit to use for (important) stuff a timestamping service and let's say a digitally signed document refers to this fact it would be IMHO obvious that the original content provider was the first person in the blockchain, according to the provided timestamp file.
Due to the addition of a privacy-preserving nonce by opentimestamps.org, either universal access to the preceding timestamp file, or small mutation of the timestamping behavior, is required to identify the first item on the blockchain. That's all.
Our ID-card has no pgp in it, but you can securely bind your public pgp key to your ID-card, so that third parties know that the name displayed in the UID of your pub key is the name in your ID-card.
It is done in the following way. Our ID-cards have a RFID chip in with our details, which is then inserted into a card reader. You visit the Governikus website which asks for your ID-card and the card-reader and software on your computer checks this and the website knows than that it is me and ask for my pub key to be inserted. If the UID data matches with my ID-card my public key will be signed with a sig3.
This has IMHO the advantage that you do not need a ton of WoT signatures and since Governikus is our official German pgp CA, people know then that it is me.
I didn't know there was such a thing as a PGP CA, kinda cool, does sound a little single-point-of-failure to me, but you must have laws to e.g. force them to improve their practices if they aren't sufficient, I suppose.