Handling a TOFU conflict

Neal H. Walfield neal at walfield.org
Thu Dec 8 20:41:43 CET 2016

On Thu, 08 Dec 2016 20:13:38 +0100,
Andre Heinecke wrote:
> On Thursday 08 December 2016 19:36:00 Werner Koch wrote:
> > On Thu,  8 Dec 2016 11:34, neal at walfield.org said:
> > > reasoned argument.  (If there was one please point me to it.)
> > 
> > Aside from discussions here, we discussed this in person, on ohone, and
> > on jabber several times.  I know that you write a paper where you argued
> > that protecting against homograph is important.  I do not share this
> > view, though.  What seems to be a homograph to one person it is a
> > plausible different entity to another person.
> for the record. I completely agree with werner here and this may hurt 
> usability through false positives so much that automated crypto is not doable.

I find it hard to imagine that detecting homographic-based conflicts
would introduce many false positives.

> > > Then we'll have to disagree.  I would honestly and sincerely like to
> > > hear what you think TOFU is trying to protect against.
> > 
> > To detect and warn about a different key with the same mail address.
> I'm also in agreement, I think TOFU is most important as a tool for automated 
> encryption. And as long as I won't try to write mails to "T0FU at example.com" 
> instead of "TOFU at example.com" this is a non issue.

Serious question: what is this tool (i.e., TOFU) supposed to do?  That
is, how is it supposed to help automated encryption?


:) Neal

More information about the Gnupg-devel mailing list