adding TOFU/POP to GnuPG

Robert J. Hansen rjh at
Fri Mar 14 19:38:18 CET 2014

Quoting Daniel Kahn Gillmor <dkg at>:
> GnuPG does not limit itself to the RFCs, particularly when it comes to
> its role as a keyring/contact manager for OpenPGP.

Correct, but this is for historical reasons.  When GnuPG was in a  
pre-1.0 state, Werner made the (entirely reasonable) decision that  
GnuPG should as far as possible be a drop-in replacement for PGP.   
That meant emulating all of PGP's feature set, including the key  
management that had organically grown in the PGP community since 1992.

There is no historical reason to support TOFU/POP.  We're talking  
about adding significant complexity and a nontrivial amount of code  
for something which at present has minimal community demand.

If a different trust mechanism than the WoT existed in 1992 and had  
become GnuPG's preferred system today, and someone came on-list saying  
"hey, I have an idea: let's do the WoT," I'd also say, "no, let's not:  
this is not within the remit of OpenPGP, and I think GnuPG is  
strongest when it stays close to the RFCs."

> If GnuPG wasn't already in the business of doing these validity
> calculations, there might be more merit in Robert's argument, but in
> practice, this is one of the core features of the tool.  So any
> consideration about extending or modifying user ID validity calculations
> is *definitely* in-scope for GnuPG.

I emphatically disagree.  Just because we have inherited one set of  
historical baggage is not a sufficient reason to believe we should  
introduce new things in that same vein.

More information about the Gnupg-devel mailing list