Handling a TOFU conflict

Werner Koch wk at gnupg.org
Wed Dec 7 21:02:03 CET 2016

On Wed,  7 Dec 2016 11:40, neal at walfield.org said:

> Sorry, the --command-fd option is just a distraction.  But, it is how
> epg currently works, AFAICT.

Not really because it is the reason for the "GET_LINE tofu.conflict"
which we can't use with any GPGME enabled MUA.  Insofar epg diverts from
GPGME's behaviour.

> You only see the TOFU_STATS lines for the keys under consideration.
> It would be nice to have a way to immediately get the statistics for
> the conflicting keys.  That is what this patch is about.

You need to do a key listing anywa to get all details of the key.  Thus 

 gpg --with-colons --with-tofu-info MAILADDRESS

while give you all information you need in a format you already need for
displaying the details of the key.

Adding a hint on which key conflicts might be useful but is not necessary.

> means that the MUA has to know that conflicts are based on the email
> address (and not whole user id) as well as any normalization rules

For Tofu and all kind of "modern" key discovery, we soley use the mail
address - that is the unique identifier and not some garbage in the user

> that we use.  Currently, we only lowercase the email address, but one
> could imagine adding support for google's aliases ('.'s don't mean

Definitely not.  As soon as you start to special case things you are
violating implicit assumptions and will for sure run into problems.
Downcasing _ascii_ in contrast is different because case independent
matching is a >30 old practice and not doing this would be a surprise.

> I'm sorry, I don't understand why specifying a key by fingerprint
> should cause that key to be fully trusted.

Because the the user said: “Please encrypt to exactly this key”.  And
that is what gpg does - questioning this request is wrong.  This may
only fail when the key may not be used for other reasons (revoked,
expired, wrong capabilities).

> Can you please elaborate.  I have a rather different understanding of
> what TOFU is about.  (If you are interested: it's about monitoring
> bindings for conflicts.)

If a users demands _encryption_ to a certain well specified key (ie. by
fingerprint of with -f) gpg shall just do that.  The story is different
when receiving mail: Verification shall of course detect conflicts.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161207/925a703b/attachment-0001.sig>

More information about the Gnupg-devel mailing list