Trust model tofu+pgp and User ID in Signer's UID packet

Werner Koch wk at gnupg.org
Fri May 3 10:42:49 CEST 2019


On Thu, 25 Apr 2019 13:48, gnupg-devel at gnupg.org said:

> As I've seen previously OpenKeychain embeds full User ID as Signer's
> UID (that is "John Doe <john at example.com>") but GnuPG users only

They should not do that becuase only the addrspec identifies the user.
The real name in a mail address is often changed.

> e-mail ("john at example.com"). It seems when GnuPG encounters Signer's
> UID in full form it cannot get TOFU validity.

Right, in gpg the user id from the signature is only sanitized of bad
characters and then used verbatim.  Using only the addrspec part, if it
exists, is a better idea.  I 'll change that for 2.2.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190503/0114d8a3/attachment.sig>


More information about the Gnupg-devel mailing list