On Sun, Oct 24, 2021 at 8:35 PM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
On Sun, Oct 24, 2021 at 6:53 PM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Sun, 24 Oct 2021 08:38:06 -0400 Karl <gmkarl@gmail.com> wrote:
these contain signatures via a newer pgp key coderman's been emailing;
what makes you think that stuff signed by 'coderman' has any validity at all?
Correct, the only way currently in the OpenPGP ecosystem, is for users in Germany, with a German ID-card, containing a chip, and a secure mechanism, to prove that this public key belongs to this person. And when the key pair is directly burned on a YubiKey or Nitrokey the private key can't be stolen, when used on a compromised online device. Probably the most secure way, but it still cannot guaranty that I did the signature when I supply a warrant canary and I am already dead and someone is in possession of my (valid) ID-card and YubiKey+ credentials.
This CA Service is run by Governikus, on behalf of our German Government (BSI) and even Werner Koch (Germany) the author of GnuPG does not use this system, for free, which also requires that you need an BSI authorized card reader for your ID-card to use this service. Regards Stefan