On 07.06.17 00:04, MFPA wrote: > > > On Tuesday 6 June 2017 at 5:07:18 PM, in > <mid:4df4bdbf-bda1-9259-4e5b-621b650d4...@posteo.de>, Stefan Claas > wrote:- > > > > Therefore qualified CA's > > in my opinion are mandatory where each user in each > > country [may] register > > with his/her id-card so that it's guaranteed that > > Alice is not Eve. > > Assuming the users trust both the CA and the entity that issued the > id-card. > Well, that's debatable. As an example:
My old pub-key had a sig3 from a well known german computer magazine, which i believe a lot of people here in Germany would trust. Their procedure was that you attend their booth at electronic fairs show up with your id-card and a fillet out form, containing your data and the pub key data. They carefully checked then the filled out form with your id-card. So it's imo compareable with key signing parties you attend. But who guarantees that an id-card is not fake with this classical procedure? My new pub-key bears a sig3 from a german CA which is run on behalf of our interior ministry. People may not trust our government but the procedure how the pub-key was verified* tells me that the sig3 issued to that person is correct. *our new german id-card contains a chip and when you look at it i would say this sort of modern id-card can not be faked. The procedure went like this: I inserted my id-card in a certified card reader, which i purchased, startet the german certified id-card software "AusweisApp2" to connect to the CA Server and the server checked my id-card online and after verification send the signed pub-key to my email address. Can this procedure be faked by criminals etc.? I doubt it. Regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
