TOFU - motivation
Robert J. Hansen
rjh at sixdemonbag.org
Tue Mar 31 22:21:12 CEST 2015
> GnuPG manages the keyring, and should therefore record the state of
> the TOFU data.
I have nothing against this idea. Storing data is sensible (we already
do that, so it's hard to argue we shouldn't do that).
> I think the way to store this sort of thing internally would be
> non-exportable certifications (possibly issued by a dedicated key)
> marked with a particular OpenPGP notation to indicate that they're
> from this TOFU approach.
Also store the providing application, so that apps can make informed
decisions about whether to trust other applications' TOFU entries.
> b) what "cert-level" should this use? I tend to believe that
> cert-levels are not useful, and are possibly dangerous 
Completely agreed, but that's a total rant on my part -- ask me about it
sometime, though, if you want to see me get thoroughly irritated. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel