adding TOFU/POP to GnuPG

Daniel Kahn Gillmor dkg at
Fri Mar 14 18:15:25 CET 2014

On 03/14/2014 01:00 PM, Daniel Kahn Gillmor wrote:
> I have a TOFU/POP workflow already that works with GnuPG, but it's a
> very clunky one, and the tool itself could facilitate this kind of
> workflow.  i agree with your general goal here, thanks for pushing this.

I should follow up on this more clearly instead of just hinting.  here's
what i do (roughly):

When i get a key that i'm willing to use for future correspondence, but
that i haven't verified via any of my usual strong mechanisms that would
permit a direct certification, i make a local (non-exportable) OpenPGP
certification on the reasonable-looking User IDs associated with that
key from an unpublished dedicated "local-certifying" key, which i have
marked with marginal ownertrust.  These certifications are usually
time-limited (--ask-cert-expire), and they include a free-form textual
OpenPGP notation (--cert-notation) that i use to record any notes about
how and where i've used the key, and why i've decided that the
key+UserID is acceptable for use.

when the certification expires, the contact becomes unusable again, but
i can review my local certifications for signature dates and notes
(--list-options show-notations --check-sigs) for hints about when and
why i did this, and can pretty easily refresh the persistence.

This does *not* prevent two keys from being active for a given User ID
at the same time, though.

Sorry this isn't outlined more clearly, and that my scripts for managing
this use case aren't particularly suited for publication.

If anyone has more specific questions about the workflow or suggestions
for improvements, i'm all ears.

Happy hacking,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140314/6594bd0c/attachment.sig>

More information about the Gnupg-devel mailing list