On Thu, Nov 4, 2021 at 8:41 PM Karl <gmkarl@gmail.com> wrote:
how do I verify I have the real governikus signature? what do you do if their key is compromised or misused?
On their website is their fingerprint and I
so if I pick up your device or access it with a public exploit, install a new SSL CA in it, and add my proxy, I can serve you a wrong fingerprint and you will trust only my pgp signatures and not the real ones?
or is that when I get offered a job with the government and your device is tacitly fixed?
must admit I do not know how one could compromise their whole infrastructure, which relies on our ID-cards and a
I would not do this, I would just worry about a criminal with a job in the government. do you ever elect those like we do in my country?
certified card-reader. In case this would be possible then the wrong CA would properly sign my key, thus guaranteeing that it is me.
you mean the opposite of that right? since the wrong CA signing your key wouldn't guarantee that it is you?
To give you a quick summary of how this all works: I burn the secret key on a Yubikey with an offline device. I upload my pub key to Governikus, which compares my Name on my ID-card with my pub key Name. This is done via a tunnel, which I must accept on my ID-cards card reader display (and not my computer). Once done Governikus signs my pub key and sends the signed pub key to my email address mentioned in my pub keys UID, along with their signing pub key. If the NSA would physically take over Governikus' with its own personal and the complete infrastructure, they would simply sign in the name of Governikus my pub key, so that you also have the guarantee that it is me. :-) If the NSA could also take physically over our German Bundesdruckerei, with their personal, which creates our ID-cards, Passports, Banknotes etc. than they could issue for Joe Blow in the United States an ID-card, so that he looks like a German national and then he could use Governikus as well. But how likely is that? I guess stealing someones (Wot signed) secret key is a *much much* easier task, which only would take five minutes or so remotely, along with the passphrase, if the person still uses an online device for encryption and a little bit more time if the person uses an offline device. Regards Stefan