TOFU code available

Werner Koch wk at
Thu Oct 22 14:29:05 CEST 2015

On Wed, 21 Oct 2015 13:29, aheinecke at said:
>> Nope.  We should not overload the Pinentry with functions it is not
>> designed for.
> I think it makes sense though. We already have pinentry asking for Root 
> Certificate trust in S/MIME and imo the TOFU questions fall in the same 
> category. It's just a dialog with a question and some options. 

The difference is that there are only a few root certificates
(modulo self-signed stuff) but for Tofu the "root certificate" is
the key of the user.  Thus you would have a Pinentry pop up for
each key.

> Some advantages I see:


My point is that the Pinentry should be rarley Used for non-PIN
request.  Exceptions I see are Root CA fingerprints and security update



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list