Handling a TOFU conflict

Neal H. Walfield neal at walfield.org
Wed Dec 7 11:40:10 CET 2016

On Wed, 07 Dec 2016 11:03:21 +0100,
Werner Koch wrote:
> On Tue,  6 Dec 2016 15:09, neal at walfield.org said:
> >   $ gpg --command-fd 0 --status-fd 1 --trust-model tofu -r 16045E5FD8572D7C44AA6DCECC8D32F31C005AF3 -e 
> Why do you want to use the --command-fd?  This is uncommon for
> encryption or signing operations and not supported by gpgme.  The way
> this is handled (expired, revoked, or ambiguous addresses) is to return
> an error for the key and let the caller decide what to do.  This needs
> to be done anyway for other error cases.  I can't see why a TOFU
> conflict is different and needs a different way to handle it.

Sorry, the --command-fd option is just a distraction.  But, it is how
epg currently works, AFAICT.

> When you run the above command with --batch (as it is common and
> suggested), you see the TOFU status lines as well as an INV_RECP status.

You only see the TOFU_STATS lines for the keys under consideration.
It would be nice to have a way to immediately get the statistics for
the conflicting keys.  That is what this patch is about.

Currently, you still need to get all of the conflicting keys, which,
again, in addition to the extra work for the programmer and the minor
computational overhead, this introduces a small race.  Further, it
means that the MUA has to know that conflicts are based on the email
address (and not whole user id) as well as any normalization rules
that we use.  Currently, we only lowercase the email address, but one
could imagine adding support for google's aliases ('.'s don't mean
anything) and puny code.

> You gave the key by fingerprint which means you already looked it up the
> mail address.  If this has been done --always-trust is used to force the
> use of that key.

I'm sorry, I don't understand why specifying a key by fingerprint
should cause that key to be fully trusted.

> Tofu should only kick in for keys given by mail
> address, because that is what TOFU is about.

Can you please elaborate.  I have a rather different understanding of
what TOFU is about.  (If you are interested: it's about monitoring
bindings for conflicts.)


:) Neal

More information about the Gnupg-devel mailing list