[spam][joke][cryptotragedy] checking signatures on boot media

Karl gmkarl at gmail.com
Thu Nov 4 14:51:02 PDT 2021 

hey

To give you a quick summary of how this all works:
>
> I burn the secret key on a Yubikey with an offline device.
>
> I upload my pub key to Governikus, which compares my
> Name on my ID-card with my pub key Name. This is done
> via a tunnel, which I must accept on my ID-cards card reader
> display (and not my computer). Once done Governikus signs
> my pub key and sends the signed pub key to my email address
> mentioned in my pub keys UID, along with their signing pub key.
>
> If the NSA would physically take over Governikus' with its own
> personal and the complete infrastructure, they would simply sign
> in the name of Governikus my pub key, so that you also have the
> guarantee that it is me. :-)
>

what you say has meaning and your joke can be taken many hilarious ways

but obviously there are many unaddressed parts, such as the german workers
and the hardware suppliers and software developers and the people
delivering the parts

and obviously there is no guarantee that anybody is anybody when a foreign
agency siezes control of communications

but they are more likely to do this by installing something subtle than an
overt physical takeover

and here they have only to do that with a single organization

and likely even have international deals to facilitate it.

If the NSA could also take physically over our German Bundesdruckerei,
> with their personal, which creates our ID-cards, Passports, Banknotes etc.
> than they could issue for Joe Blow in the United States an ID-card, so that
> he looks like a German national and then he could use Governikus as well.
>
> But how likely is that?
>

=> you did not address the security of the fingerprint. <= which you
describe as secured and shared only by ssl

I am quite happy to let people secure their keys with keysigners, and it
sounds like governikus has strong value as _a_ keysigner.

I guess stealing someones (Wot  signed) secret key is a *much much* easier
> task,
> which only would take five minutes or so remotely, along with the
> passphrase, if
> the person still uses an online device for encryption and a little bit
> more time
> if the person uses an offline device.
>

whether or not they are online is orthogonal to whether or not they use wot
and governikus.  wot works fine offline too, works fine with yubikey.

I was surprised when you started saying things as strange as the things I
say.  but it is much more pleasant to banter with you than the posters who
say very mean things with every post.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3633 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20211104/8dddff24/attachment.txt>

More information about the cypherpunks mailing list