TOFU: interacting with the user

Neal H. Walfield neal at
Wed Oct 21 15:35:33 CEST 2015

At Tue, 20 Oct 2015 19:46:23 +0200,
Andre Heinecke wrote:
> I've not yet tested what happens in case of conflicts where the command line 
> would ask questions. Maybe bring up a pinentry prompt for that?

This requires GpgME support.

There are a couple of arguments against using pinentry for this.

I think we should only use pinentry for requesting sensitive
information.  Moreover, only gpg agent should use pinentry.  This way,
the user learns that only gpg-agent uses this interface.  Currently,
it is not possible to enforce this behavior.  But if we ever get good
mechanisms for implementing the principle of least authority (like
Genode), we should make sure that we are still in a position to take
advantage of them.

Second, pinentry doesn't currently support TOFU's queries!  When a
conflict is detected, GnuPG asks the user to assign a policy to the
key.  There are five choices (good, accept once, unknown, reject one,
bad).  Currently, pinentry only supports up to three buttons.  A hack
would be to only offer three choices: good, unknown and bad.  This
works because the other two are just ways to defer the decision and
not really policies.


:) Neal

More information about the Gnupg-devel mailing list