Mailing List Archive

OpenPGP key verification + legal framework
Dear All,

we create a service for OpenPGP key verification: https://cryptonomica.net

It's open sourced https://github.com/Cryptonomica/cryptonomica and it
has legal part ( see:
https://github.com/Cryptonomica/cryptonomica/wiki/Cryptonomica-White-Paper
) aimed at creating an international system of legally recognized and
enforceable contracts based on OpenPGP.

I would be very interested to hear feedback, criticism and suggestions
on our project. And also to establish contacts with people interested in
cooperation.

Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
On 05.11.2018 15:21, Viktor wrote:
> Dear All,
>
> (...)
>
> I would be very interested to hear feedback, criticism and suggestions
> on our project. And also to establish contacts with people interested in
> cooperation.
Looks interesting.

But the language on the registration dialog [0] seems a little bit
unsettling:

> user personal data provided for key verification stored for forever
and can not be deleted or removed by user's request.

Maybe it would also be a good idea to provide a list of locations of
Notaries before registration. I'd like to see if there is one nearby, if
not, there is not much benefit for me to register (at least now).

Kind regards,
Wiktor

[0]: https://cryptonomica.net/#!/registration

--
https://metacode.biz/@wiktor

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
Hello All!

I just tried to register with a key who has several user-ID's
(e-mail-adresses) and I always got the error that the user-ID is not the
same as in log-in/registered e-mail.

And yes to see the list of Notaries before registration would be very good.

regards
Juergen

Am 05.11.18 um 17:01 schrieb Wiktor Kwapisiewicz via Gnupg-users:
> On 05.11.2018 15:21, Viktor wrote:
>> Dear All,
>>
>> (...)
>>
>> I would be very interested to hear feedback, criticism and suggestions
>> on our project. And also to establish contacts with people interested in
>> cooperation.
> Looks interesting.
>
> But the language on the registration dialog [0] seems a little bit
> unsettling:
>
>> user personal data provided for key verification stored for forever
> and can not be deleted or removed by user's request.
>
> Maybe it would also be a good idea to provide a list of locations of
> Notaries before registration. I'd like to see if there is one nearby, if
> not, there is not much benefit for me to register (at least now).
>
> Kind regards,
> Wiktor
>
> [0]: https://cryptonomica.net/#!/registration
>

--
Juergen M. Bruckner
juergen@bruckner.tk
Re: OpenPGP key verification + legal framework [ In reply to ]
On 05/11/2018 18:01, Wiktor Kwapisiewicz wrote:
> user personal data provided for key verification stored for forever
> and can not be deleted or removed by user's request.

Yes, that's the point.
If my counterparty had signed some contract or document, he/she should
not be able to delete his/her public key certificate and data used for
its verification.
So in case of dispute I can prove that he/she really signed the document.
This is exactly the part that is difficult to ensure, especially given
the new European legislation (GDPR). We needed to develop a
justification for this. We had registered by U.K. Information
Commissioner's Office (https://ico.org.uk) , hired certified Data
Protection Officer etc.

> Maybe it would also be a good idea to provide a list of locations of
> Notaries before registration. I'd like to see if there is one nearby, if
> not, there is not much benefit for me to register (at least now).

For now we have connected notaries only in Tel Aviv and Kyiv.

The main verification method is online verification, and we have already
users with verified keys from 34 countries.


Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
Hi,

On Mon, Nov 05, 2018 at 05:13:41PM +0100, Juergen Bruckner wrote:
> I just tried to register with a key who has several user-ID's
> (e-mail-adresses) and I always got the error that the user-ID is not the
> same as in log-in/registered e-mail.

From what they say on the home page [1] this is expected: your key is
supposed to have only one user ID whose email component must match
the email address of your Google account...

... which, by the way, is a big "no" for me. :/


Damien


[1] https://cryptonomica.net/#!/

> To become member of Cryptonomica:
> [...]
> Public PGP Key should have one user ID with first name, last
> name and user e-mail. E-mail in the key should be the same as in
> Google account, that you use to login to Cryptonomica server.
Re: OpenPGP key verification + legal framework [ In reply to ]
Hello all,

there is a lot of hassle about using Gmail, but this is not really the
topic here.

If I want an "independent" ID verification on my GPG key, I can also use
CAcert. There the signing of GPG keys is offered for a long time.

best regards
Juergen

Am 05.11.18 um 18:03 schrieb Damien Goutte-Gattat via Gnupg-users:
> Hi,
>
> On Mon, Nov 05, 2018 at 05:13:41PM +0100, Juergen Bruckner wrote:
>> I just tried to register with a key who has several user-ID's
>> (e-mail-adresses) and I always got the error that the user-ID is not the
>> same as in log-in/registered e-mail.
>
> From what they say on the home page [1] this is expected: your key is
> supposed to have only one user ID whose email component must match
> the email address of your Google account...
>
> ... which, by the way, is a big "no" for me. :/
>
>
> Damien
>
>
> [1] https://cryptonomica.net/#!/
>
>> To become member of Cryptonomica:
>> [...]
>> Public PGP Key should have one user ID with first name, last
>> name and user e-mail. E-mail in the key should be the same as in
>> Google account, that you use to login to Cryptonomica server.
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
Juergen M. Bruckner
juergen@bruckner.tk
Re: OpenPGP key verification + legal framework [ In reply to ]
On 05/11/2018 18:13, Juergen Bruckner wrote:
> I just tried to register with a key who has several user-ID's
> (e-mail-adresses) and I always got the error that the user-ID is not the
> same as in log-in/registered e-mail.

We use the rule, that userID should contain user's fist and last name
exactly as in passport, and only one email - the same as used for login.
So we can verify it's really your email.

> And yes to see the list of Notaries before registration would be very good.

Actually, we are going make notary verification optional after online
verification. Online verification works for everyone, but building
network of notaries takes time.

Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net


>
> regards
> Juergen
>
> Am 05.11.18 um 17:01 schrieb Wiktor Kwapisiewicz via Gnupg-users:
>> On 05.11.2018 15:21, Viktor wrote:
>>> Dear All,
>>>
>>> (...)
>>>
>>> I would be very interested to hear feedback, criticism and suggestions
>>> on our project. And also to establish contacts with people interested in
>>> cooperation.
>> Looks interesting.
>>
>> But the language on the registration dialog [0] seems a little bit
>> unsettling:
>>
>>> user personal data provided for key verification stored for forever
>> and can not be deleted or removed by user's request.
>>
>> Maybe it would also be a good idea to provide a list of locations of
>> Notaries before registration. I'd like to see if there is one nearby, if
>> not, there is not much benefit for me to register (at least now).
>>
>> Kind regards,
>> Wiktor
>>
>> [0]: https://cryptonomica.net/#!/registration
>>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
On 05/11/2018 19:03, Damien Goutte-Gattat via Gnupg-users wrote:
> From what they say on the home page [1] this is expected: your key is
> supposed to have only one user ID whose email component must match
> the email address of your Google account...
>
> ... which, by the way, is a big "no" for me. :/

Because of Google or because of "only one user ID" ?

Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
On 05/11/2018 21:12, Juergen Bruckner wrote:
> If I want an "independent" ID verification on my GPG key, I can also use
> CAcert. There the signing of GPG keys is offered for a long time.

Signing is easy. The difficult part is 1) to create a system in which
you can prove that the key really belongs to the user specified in the
userID 2) to make contracts singed by verified key legally recognizable
and enforceable.
We are working on 1) and 2)

For 1) I mean the case when users has signed a document or contract, and
after that this user claims that the signature was not made by his key.
In such case, I think signing keys on 'key signing party' is not
reliable. There must be a known key verification procedure, and a
permanent repository of information and documents that were used to
verify the key.

And we actually not sign keys. From two reasons:
a. If you automatically trust the signing key, compromising the signing
key breaks the entire system.
b. In many countries, generating or signing cryptographic keys requires
a license. We create a system that should work the same way and legally
in all countries. And we do not sign key certificates. We only attach to
them information about the owner of the key, which the user manually
checks before adding this certificate to his list of trusted certificates.

Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net


>
> best regards
> Juergen
>
> Am 05.11.18 um 18:03 schrieb Damien Goutte-Gattat via Gnupg-users:
>> Hi,
>>
>> On Mon, Nov 05, 2018 at 05:13:41PM +0100, Juergen Bruckner wrote:
>>> I just tried to register with a key who has several user-ID's
>>> (e-mail-adresses) and I always got the error that the user-ID is not the
>>> same as in log-in/registered e-mail.
>>
>> From what they say on the home page [1] this is expected: your key is
>> supposed to have only one user ID whose email component must match
>> the email address of your Google account...
>>
>> ... which, by the way, is a big "no" for me. :/
>>
>>
>> Damien
>>
>>
>> [1] https://cryptonomica.net/#!/
>>
>>> To become member of Cryptonomica:
>>> [...]
>>> Public PGP Key should have one user ID with first name, last
>>> name and user e-mail. E-mail in the key should be the same as in
>>> Google account, that you use to login to Cryptonomica server.
>>>
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
On 05.11.2018 20:28, Viktor wrote:
>
> We use the rule, that userID should contain user's fist and last name
> exactly as in passport, and only one email - the same as used for login.
> So we can verify it's really your email.

Have you considered an alternative approach to email verification? For
example just sending an e-mail (probably encrypted) with a one-time
verification link?

That way non-Google users wouldn't be excluded. (Actually this approach
would work for Google and non-Google users alike).

Sending an encrypted e-mail additionally verifies that the user controls
the key in question.

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
On 05/11/2018 21:50, Wiktor Kwapisiewicz wrote:
> Have you considered an alternative approach to email verification? For
> example just sending an e-mail (probably encrypted) with a one-time
> verification link?

Yes, we considered this option. But we can not be sure that user uses
secure email system, and this link can not be read by somebody else.

For now, using Google’s login system seems to be the most reliable and
secure solution. Our backend works on Google App Engine, and thus we
don’t have our own login-password system and, accordingly, it is
impossible to crack it unless you hack Google. Yes, of course Google can
find out the public certificates associated with Google accounts, but
any other user in our system can do this.

> That way non-Google users wouldn't be excluded.
> (Actually this approach
> would work for Google and non-Google users alike).

You can register a Google account with any email address. Simply,
instead of creating an account on our service (another password that
needs to be saved), you create an account on Google, or use an existing one.

It doesn't seem to me that every internet site should have its own
separate login-password system, in most cases it is better to use the
existing secure solution.

> Sending an encrypted e-mail additionally verifies that the user controls
> the key in question.

But you can easily send email with any address in 'from' field.
It does not mean you really control this email address.


Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
On 05/11/18 17:56, Viktor wrote:

> If my counterparty had signed some contract or document, he/she should
> not be able to delete his/her public key certificate and data used for
> its verification.
IMVHO You're just (badly) reinventing X509.

> This is exactly the part that is difficult to ensure, especially given
> the new European legislation (GDPR). We needed to develop a
> justification for this. We had registered by U.K. Information
> Commissioner's Office (https://ico.org.uk) , hired certified Data
> Protection Officer etc.
Then, again IMVHO, you should have registered in a country that's
supposed to *remain* in the EU...

> For now we have connected notaries only in Tel Aviv and Kyiv.
CACert does have quite a lot of notaries, but they're still not enough
for an average user: I made a 600km trip just to meet one. It's simply
not good at the economic level: I can buy a smartcard with an already
legally recognized and binding signature for 3y at 50€ (IIRC).
Moreover, if you just verify the mail address you're not identifying the
user, just "someone that currently controls that address". The same can
of worms faced by LetsEncrypt with DV certs.

BYtE,
Diego

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
On 05.11.2018 21:37, Viktor wrote:
>> Sending an encrypted e-mail additionally verifies that the user controls
>> the key in question.
>
> But you can easily send email with any address in 'from' field.
> It does not mean you really control this email address.

Maybe there is a small misunderstanding here. I meant sending an e-mail
*to* the registering person encrypted using *their* OpenPGP key. This
way it can be read *only* by them even if they are using "insecure
e-mail system" :)

(there is also a minor point that properly deploying DMARC will protect
from spoofing "From" field on major mail providers)

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
On Mon, Nov 05, 2018 at 09:30:48PM +0200, Viktor wrote:
> Because of Google or because of "only one user ID" ?

Both, even though the requirement of using only one user ID would
be more acceptable if the address did not have to be associated
with a Google account.

Damien
Re: OpenPGP key verification + legal framework [ In reply to ]
On 11/5/2018 at 3:39 PM, "Viktor" <ageyev@gmail.com> wrote:

>You can register a Google account with any email address. Simply,
>instead of creating an account on our service (another password
>that
>needs to be saved), you create an account on Google, or use an
>existing one.

=====
Ok,

But suppose I want to use my existing key that I made over 10 years ago,
and it is known and trusted by the people I deal with, but it happens to have more than 1 e-mail ID
(not rare to switch an e-mail account in 10 years)

Does this mean that it cannot be used in your system,
even if you can get the preferred email to register in google, and you have passport personal verification,
just because there is another ID attached?

It seems unnecessarily restrictive.


vedaal


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
Hi.

Am Montag, den 05.11.2018, 21:47 +0200 schrieb Viktor:
>
> And we actually not sign keys. From two reasons:
> a. If you automatically trust the signing key, compromising the
> signing key breaks the entire system. b. In many countries,
> generating or signing cryptographic keys requires a license. We
> create a system that should work the same way and legally
> in all countries. And we do not sign key certificates. We only attach
> to them information about the owner of the key, which the user
> manually checks before adding this certificate to his list of
> trusted certificates.

In the EU the use of "qualified" signature is mandatory if it comes to
legal issues. Between private companies it is okay to just use OpenPGP,
but, if it comes to legal issues, one party could deny the validity of
the signature because it is not accepted as a legal signature format,
at least in Germany.

We have the "qualified signature problem" here. In my Opinion a bad
solution, but, the EU is known to make more Bullsh*t as reasonable
things.

Regards,
Dirk

--
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac
Re: OpenPGP key verification + legal framework [ In reply to ]
On 06/11/2018 0:42, vedaal@nym.hush.com wrote:
> But suppose I want to use my existing key that I made over 10 years ago,
> and it is known and trusted by the people I deal with, but it happens to have more than 1 e-mail ID
> (not rare to switch an e-mail account in 10 years)
> Does this mean that it cannot be used in your system,
> even if you can get the preferred email to register in google, and you have passport personal verification,
> just because there is another ID attached?

We can not verify all email addresses in your public key certificate as
yours, just because we have verified your 'preferred email'.

I would suggest:

1) Remove all other user IDs except the one with preferred email, as
described on:
https://crypto.stackexchange.com/questions/9403/how-can-i-remove-my-personal-data-from-my-pgp-public-key

2) change validity term of your public key certificate to 1 or 2 years.

Than you can upload your public key certificate to Cryptonomica and
verify it. Fingerprint (and your private key) will be the same.

Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
On 06/11/2018 20:33, Dirk Gottschalk wrote:
> In the EU the use of "qualified" signature is mandatory if it comes to
> legal issues. Between private companies it is okay to just use OpenPGP,
> but, if it comes to legal issues, one party could deny the validity of
> the signature because it is not accepted as a legal signature format,
> at least in Germany.

According to EU regulation (https://en.wikipedia.org/wiki/EIDAS)
signatures made by keys verified on Cryptonomica can be considered as
'advanced electronic signature (AdES)'
(https://en.wikipedia.org/wiki/Advanced_electronic_signature), but not
as 'qualified electronic signature'
(https://en.wikipedia.org/wiki/Qualified_electronic_signature)

AdES is still legal way to sing documents and contracts. Following
Article 25 of the eIDAS regulation an advanced electronic signature
shall "not be denied legal effect and admissibility as evidence in legal
proceedings solely on the grounds that it is in an electronic form or
that it does not meet the requirements for qualified electronic signatures".

But we have an ultimate solution, that can be used regardless of local
laws. You can put in contract an arbitration clause, like this:

"Any dispute, controversy or claim arising out of or relating to this
agreement, or the breach, termination or invalidity thereof, shall be
settled by arbitration in accordance with the Cryptonomica Arbitration
Rules (
https://github.com/Cryptonomica/arbitration-rules/blob/master/Arbitration_Rules/IACC/IACC-Arbitration-Rules.EN.signed.md
) in the version in effect at the time of the filing of the claim.
And unless the parties agree otherwise in writing:
The place of arbitration shall be: London, United Kingdom.
The language to be used in the arbitral proceedings shall be: English.
The number of arbitrators shall be: one.
The arbitral tribunal shall decide ex aequo et bono"

Where 'ex aequo et bono' means that arbitrators will dispense with
consideration of the law but consider solely what they consider to be
fair and equitable in the case at hand. And yes, arbitration award
('judgment') will be recognizable and enforceable in almost any country
according to Convention on the Recognition and Enforcement of Foreign
Arbitral Awards (
http://www.uncitral.org/uncitral/en/uncitral_texts/arbitration/NYConvention.html
)

Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
Hi Viktor.

Am 05-11-2018 15:21, schrieb Viktor:
> Dear All,
>
> we create a service for OpenPGP key verification:
> https://cryptonomica.net
>
> It's open sourced https://github.com/Cryptonomica/cryptonomica and it
> has legal part ( see:
> https://github.com/Cryptonomica/cryptonomica/wiki/Cryptonomica-White-Paper
> ) aimed at creating an international system of legally recognized and
> enforceable contracts based on OpenPGP.
>
> I would be very interested to hear feedback, criticism and suggestions
> on our project. And also to establish contacts with people interested
> in cooperation.

As the site is unusable without javascript it's hard do use it without
it. This looks pretty common today that even a startpage requires
javascript.

What I more dislike is that you request for a privacy site code from
"ajax.googleapis.com". I suggest to deliver all your requierd JS parts
from your site to be on the save site. Jm2c

> Best regards,
> Viktor Ageyev
> CEO/CTO, Cryptonomica.net

Best regards
Aleks

> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 5 November 2018 at 8:37:01 PM, in
<mid:5950ae29-1a13-36bc-d514-ca5f353a3ff1@gmail.com>, Viktor wrote:-


> You can register a Google account with any email
> address. Simply,
> instead of creating an account on our service
> (another password that
> needs to be saved), you create an account on Google,
> or use an existing one.

Many people would not be prepared to do this because Google now
demands a phone number in their sign-up process. Nobody needs a phone
number in order to provide an email account, it is just an additional
piece of personal information for Google to abuse.



> It doesn't seem to me that every internet site should
> have its own
> separate login-password system, in most cases it is
> better to use the
> existing secure solution.

Too many eggs, too few baskets. Crack the user's login on one site and
you've cracked it on all.


- --
Best regards

MFPA <mailto:2017-r3sgs86x8e-lists-groups@riseup.net>

Something must be done. This is something. Therefore, we must do it.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCW+bD4V8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+reYAQCM4zhs0LeDcPOu6icA9x9nCQqhJfv7C629UICzGuWRhwD9HTiJtUmL+CTW
57PZoGg0fSKpUAsTMVys5NufFOuyCA6JApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCW+bD4V8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/9UeEACPil4yi5SbGGvd5kSNz25WKKdH
05/xljtjO72QjufO/VXlOYmBAEVYruQGy/9ACUf9BCvtPeTtDSoRdv7elHSTkXdd
DkurhNKRB+FnM5RYe7YduxgKUVNQ5qmme/ix8criJZTOXfD/gsLdeF60ERSzijmz
aT5CgDOxTD3uJ9U717RFA/wlEwzIqE45016HYbDcyAsv+WL2kYj0mhLCJTGh5B/9
snv3f2T9PCbzG56hwBTtdtQofdMfeEhrzqC6sOFgPFKItYBkyXVSnbqfEcOgLMN7
vN7hExVwEdPvP6g0GGluUZ1ptd1FxIt2BGoUUtLe7lknAKcvMgY1k0dm+E5l4bh6
+ggeai4Kebb1W8FlEMqZW10RclMJvcIDv96Vh/PRI9eCE0YkNzyA0qfBvkVqxR0/
mkq74Ys6nbz9wYH1sN9CVHdUa5NYSAfpwl7415+Y+m2NlGY6rTZ4C0mReqLtROhV
74ko1gbqKZuR+14q3SekIQ+hEAbmirUeG+Txfiy9LdRaAGRNBXMMM04QmbNLdwfQ
jNsKjKuwuy5/M+JU3s0Yoe6yRoNhfLvxOVfxFykL7XKepWfs4LlYS9i4uEJquQsJ
Pl+ptBXeviV5nnerfHJo3g6GxmqJ5nUwJmR5FmnAfi7zv/b15RvGuCWUpFt8xrJm
xNFd3XjfrsYuhLvwPg==
=MWX8
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP key verification + legal framework [ In reply to ]
On 10/11/2018 13:40, MFPA wrote:
> Many people would not be prepared to do this because Google now
> demands a phone number in their sign-up process. Nobody needs a phone
> number in order to provide an email account, it is just an additional
> piece of personal information for Google to abuse.

We also require phone number check to verify user identity.
If you want to stay anonymous, you can not verify your identity.

>> It doesn't seem to me that every internet site should
>> have its own
>> separate login-password system, in most cases it is
>> better to use the
>> existing secure solution.
>
> Too many eggs, too few baskets. Crack the user's login on one site and
> you've cracked it on all.

Most logins connected to email. Crack email, and you got them all.
What is the difference if you use the same login as for email?

Best regards,
Viktor Ageyev

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users