TOFU for GnuPG

Neal H. Walfield neal at walfield.org
Tue Nov 3 16:34:39 CET 2015


At Tue, 03 Nov 2015 16:10:24 +0100,
Andre Heinecke wrote:
> Don't we need to lookup the new key anyway to make validity decisions? Until 
> then we assume "Unknown" trust.

In the verify case, yes.  But what about the sign case?  We just see
that the old key has been revoked, but we don't know what the new key
is.

Thanks,

:) Neal



More information about the Gnupg-users mailing list