On 06.06.17 12:46, Peter Lebbing wrote: > On 06/06/17 05:30, Duane Whitty wrote: >> As I understand the concept of TOFU (Trust On First Use), when you >> receive a signed email gpg tests that signature against the key >> retrieved from the public key servers associated with the email.
> TOFU is about *consistency*. It says: this e-mail is signed by the same > key you've seen on all the earlier messages you received from this > e-mail address. It keeps count, and alerts you when all of a sudden you > start receiving signatures made by a different key. Is TOFU verifying the email address from the from: header of the message and then compares it with the email address in the UID? I ask, because if i would use a free form UID with no email address, or i use an Anon Remailer with a nym account where both email addresses are not identical. > > Note that it can also be combined with the Web of Trust. You could use > TOFU just to track consistency and not award validity to keys, or you > could use TOFU to award marginal validity and obtain the remaining > validity from, e.g., marginally trusted Web of Trust signatures. > > But TOFU isn't for everyone, and neither is the Web of Trust. It's your > call. > > By the way, it is my feeling Stefan Claas is looking for TOFU. The > Identicon scheme feels like TOFU with the database on external storage, > to wit, the user's brain :). Better to store that database on disk, > IMHO. The (only) net loss is that there is no synchronization between > different devices. I just installed modern GnuPG and used it with two inline PGP messages from Usenet and i like it. :-) > > My Enigmail works with TOFU, although I can't see any statistics. But it > correctly awards a green bar with "Good signature" to my TOFU-verified keys. > I tried also with Enigmail under OS X but when checking the signatures here from the list members i always get the blue "Untrusted Good Signature". Regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
