List Archival

[Stefan Claas]

Ok.

I give you now some ideas you may think about, or not.

As you may know modern sequoia-pgp (Testimonials by
Mr Zimmermann) no longer uses the stupid WoT. Stupid
keyservers like SKS are thankfully also dead.

The difference in CA sigs and a modern keyserver like Mailvelope
and the difference between WoT signatures and SKS keyservers:

When I have a CA signature, based on our Government system
and I upload my signed pub key to Mailvelope you have the
*guarantee* that the key is from me and I have the guarantee
that no one can add (spam) signatures. And I can delete my
key (right to be forgotten)

When you are a fan of classic WoT signatures and SKS keyservers
the following can happen.

A person, say a left-winger uploads his pub key to SKS and asks a
respected community member of OpenPGP if he signs his pub key
and he does. Later the left-winger figures out that the signee was
employed at two different NSA contractors he may feel a bit
uncomfortable, if this would be publicity known. These persons exist.

Another respected OpenPGP community member runs a private CA,
which GnuPG users like. What the GnuPG users do not know that
he signs pub keys without notifying the people and not checking the
people. Also real case. So what value have these signatures?

Fan sigs: Check Mr Zimmermann's or Mr Koch's key and do a
reverse signature search and look how many these both have
signed from their signees.

Let's assume you have minors, which you allow to use OpenPGP.
Some little bastard of your daughter's friends appends nasty signatures
to her pub key. Later she comes home and cries and asks daddy, please
remove my key from keyservers. Same can happen to adults of course.

Ok, the last three cases won't happen with Mailvelope, but you get
the idea. Also OpenPGP is the only public key software, from many, and
I mean many which uses key signtures. Then you had openly shown
communication paths, which should be nobody's business except yours
and your friends. Before PGP was invented nobody had key signatures.

If OpenPGP could be used for business, like shopping etc. You would
probably agree that in dispute cases etc. a CA sig from a Government
has more weight than a couple of sigs nobody can really verify.

We both can probably discuss until we get blue in the face, but you
see my points.

Regards
Stefan



On Mon, Oct 25, 2021 at 5:40 AM grarpamp <grarpamp at gmail.com> wrote:
>
> > This CA Service is run by Governikus, on behalf of our German Government (BSI)
>
> You don't need to create keep grow prop up digitize worship
> and in general foolishly continue to put governments in power
> over you for this, or anything else.
>
> PGP WoT works entirely independent of and has no need for
> Government database bullshit.
>
> Create whatever keys for whatever nyms you aspire to,
> demonstrate and hold them out for others to sign to
> whatever degree they wish, hit send, and around the globe
> it goes. No Govt "authorities" DB's Bio-ID's etc needed.
>
> > even Werner Koch (Germany) the author of GnuPG does not use this system
>
> Perhaps that's why he doesn't, and shouldn't.
>
> > for free
>
> Nothing is ever free except charity, but you gave away
> that personal responsibility to Govt too, now they steal
> many times the amount from you, and fuck it up.
>
> And in this case, "free" is being used as a scam to lure people into
> permanent central Bio-ID dependency structures GovCorp digital slavery
> and control systems, lifetime tracking spyveillance and datamining, and
> worse... and you're falling for it. That's very bad and never ends well, ever.
>
> https://en.wikipedia.org/wiki/IBM_and_the_Holocaust