TOFU for GnuPG
Andre Heinecke
aheinecke at intevation.de
Tue Nov 3 16:56:27 CET 2015
Hi,
On Tuesday 03 November 2015 16:34:39 you wrote:
> At Tue, 03 Nov 2015 16:10:24 +0100,
>
> Andre Heinecke wrote:
> > Don't we need to lookup the new key anyway to make validity decisions?
> > Until then we assume "Unknown" trust.
>
> In the verify case, yes. But what about the sign case? We just see
> that the old key has been revoked, but we don't know what the new key
> is.
I assume you mean the encrypt case (I don't see how this affects sign)? But
still I don't see a problem there. If you don't have a valid key to encrypt
to. You need to get a different key. How is the trust model involved in that?
Once you have that new key you can do the UID / Signature checks I suggested.
Regards,
Andre
--
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20151103/5f529109/attachment.sig>
More information about the Gnupg-users
mailing list