Am 07.06.2017 um 13:21 schrieb Peter Lebbing:
On 07/06/17 11:04, Peter Lebbing wrote:
On 06/06/17 20:12, Stefan Claas wrote:
Is TOFU verifying the email address from the from: header of the message
and then compares it with the email address in the UID?
Yes.
Actually, that's not really correct. It also works without a From:. I
don't know the details by heart, and I spoke too easily. TOFU verifies
the consistency of the binding between a key and the e-mail address in a
UID. So if so far you've seen a particular key being used for signatures
from <j...@example.org> and suddenly it's signed by a different key that
also has an e-mail address <j...@example.org>, TOFU will alert you that
this is not what it expected to see.
Thanks, that's what i assumed.
It will not alert you of similar-looking
e-mail addresses, since this is really hard to solve, but the statistics
printed will hopefully make you notice that even though you should see
"10 signatures verified in the past month", it suddenly says "0
signatures verified so far" and this tells you it is not the same key as
before.
In Enigmail with the blue and green bar (without showing statistics) it
would simply mean
that it switches from green to blue, right?
Regards
Stefan
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
