Trust model tofu+pgp and User ID in Signer's UID packet
wk at gnupg.org
Fri May 3 10:42:49 CEST 2019
On Thu, 25 Apr 2019 13:48, gnupg-devel at gnupg.org said:
> As I've seen previously OpenKeychain embeds full User ID as Signer's
> UID (that is "John Doe <john at example.com>") but GnuPG users only
They should not do that becuase only the addrspec identifies the user.
The real name in a mail address is often changed.
> e-mail ("john at example.com"). It seems when GnuPG encounters Signer's
> UID in full form it cannot get TOFU validity.
Right, in gpg the user id from the signature is only sanitized of bad
characters and then used verbatim. Using only the addrspec part, if it
exists, is a better idea. I 'll change that for 2.2.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 227 bytes
Desc: not available
More information about the Gnupg-devel