[git] GnuPG - branch, master, updated. gnupg-2.1.21-85-g243b2a5

by Neal H. Walfield cvs at cvs.gnupg.org
Thu Jul 6 21:18:31 CEST 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, master has been updated
       via  243b2a570c30586e19b8c88e43b282d62d8eb77c (commit)
      from  4c3a59e9c0a4902f96b9f199b9821573ffb7c628 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 243b2a570c30586e19b8c88e43b282d62d8eb77c
Author: Neal H. Walfield <neal at g10code.com>
Date:   Thu Jul 6 21:15:45 2017 +0200

    doc: Improve TOFU documentation.
    
    * doc/gpg.texi: Improve TOFU documentation.
    
    Signed-off-by: Neal H. Walfield <neal at g10code.com>
    Suggested-by: Teemu Likonen <tlikonen at iki.fi>

diff --git a/doc/gpg.texi b/doc/gpg.texi
index 9dceed9..bc83eff 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1633,10 +1633,14 @@ Set what trust model GnuPG should follow. The models are:
   @opindex trust-model:tofu
   @anchor{trust-model-tofu}
   TOFU stands for Trust On First Use.  In this trust model, the first
-  time a key is seen, it is memorized.  If later another key is seen
-  with a user id with the same email address, a warning is displayed
-  indicating that there is a conflict and that the key might be a
-  forgery and an attempt at a man-in-the-middle attack.
+  time a key is seen, it is memorized.  If later another key with a
+  user id with the same email address is seen, both keys are marked as
+  suspect.  In that case, the next time either is used, a warning is
+  displayed describing the conflict, why it might have occured
+  (either the user generated a new key and failed to cross sign the
+  old and new keys, the key is forgery, or a man-in-the-middle attack
+  is being attempted), and the user is prompted to manually confirm
+  the validity of the key in question.
 
   Because a potential attacker is able to control the email address
   and thereby circumvent the conflict detection algorithm by using an

-----------------------------------------------------------------------

Summary of changes:
 doc/gpg.texi | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list