[spam][joke][cryptotragedy] checking signatures on boot media

Stefan Claas spam.trap.mailing.lists at gmail.com
Thu Nov 4 13:54:23 PDT 2021

On Thu, Nov 4, 2021 at 8:41 PM Karl <gmkarl at gmail.com> wrote:
>> > how do I verify I have the real governikus signature?  what do you do if their key is compromised or misused?
>> On their website is their fingerprint and I
> so if I pick up your device or access it with a public exploit, install a new SSL CA in it, and add my proxy, I can serve you a wrong fingerprint and you will trust only my pgp signatures and not the real ones?
> or is that when I get offered a job with the government and your device is tacitly fixed?
>> must admit I do not know
>> how one could compromise
>> their whole infrastructure, which relies on our ID-cards and a
> I would not do this, I would just worry about a criminal with a job in the government.  do you ever elect those like we do in my country?
>> certified card-reader. In case this
>> would be possible then the wrong CA would properly sign my key, thus
>> guaranteeing that it
>> is me.
> you mean the opposite of that right?  since the wrong CA signing your key wouldn't guarantee that it is you?

To give you a quick summary of how this all works:

I burn the secret key on a Yubikey with an offline device.

I upload my pub key to Governikus, which compares my
Name on my ID-card with my pub key Name. This is done
via a tunnel, which I must accept on my ID-cards card reader
display (and not my computer). Once done Governikus signs
my pub key and sends the signed pub key to my email address
mentioned in my pub keys UID, along with their signing pub key.

If the NSA would physically take over Governikus' with its own
personal and the complete infrastructure, they would simply sign
in the name of Governikus my pub key, so that you also have the
guarantee that it is me. :-)

If the NSA could also take physically over our German Bundesdruckerei,
with their personal, which creates our ID-cards, Passports, Banknotes etc.
than they could issue for Joe Blow in the United States an ID-card, so that
he looks like a German national and then he could use Governikus as well.

But how likely is that?

I guess stealing someones (Wot  signed) secret key is a *much much* easier task,
which only would take five minutes or so remotely, along with the passphrase, if
the person still uses an online device for encryption and a little bit more time
if the person uses an offline device.


More information about the cypherpunks mailing list