TOFU code available

Neal H. Walfield neal at
Tue Oct 13 10:33:29 CEST 2015

At Mon, 05 Oct 2015 21:12:36 +0200,
Neal H. Walfield wrote:
> Note: the point is not to come up with the canonical email address,
> but to compare two email addresses and indicate whether they are
> similar enough that a warning is justified.

Werner and I discussed this offline.  He argued that if we
aggressively normalize email addresses then we'll never be done.  For
instance, we need to consider homograph attacks (glyphs that look
similar but have different code points, e.g. a and alpha) and invalid

To help detect conflicts there are two measures that we can take.

First, the MUA can check that the sender and the signer are consistent
with each other.  (This check should be done even if you're not using
TOFU.  Unfortunately, it is currently only performed by kmail and
claws.)  This doesn't work if the message is forwarded or bounced; if
the From header is forged; or, if a message is checked outside of the
MUA (e.g., from the command line).

Second, we can always show some basic statistics when verifying a
signature.  In particular, we show the number of signatures that we've
verified.  The idea is that if the user is in regular contact with
someone and gpg reports that this is the first message that its seen
signed by that key, then the user should become suspicious.


More information about the Gnupg-devel mailing list