TOFU - motivation

Nicholas Cole nicholas.cole at
Mon Apr 6 12:48:24 CEST 2015

On Monday, 6 April 2015, Werner Koch <wk at> wrote:

> On Mon,  6 Apr 2015 00:15, nicholas.cole at <javascript:;> said:
> > I just thought that if gpg-agent were storing the passphrase, then
> > making a local signature would not actually be a hassle. Give it a
> For me and some other this won't work because we keep our primary key
> offline.

People who know enough to do that and are cautious enough to do that
probably shouldn't be using TOFU. ;-)

But you could always have a less secure online key for TOFU.

Seriously though, the reason I think my idea might be worth implementing is
that it provides a pathway to teach users to be more secure, rather than
being a completely separate system.

"this signature was made automatically when you first used the key. For
better security you should check the fingerprint and upgrade the
signature." Or similar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150406/8e3b3fa2/attachment-0001.html>

More information about the Gnupg-devel mailing list