TOFU for GnuPG

Andre Heinecke aheinecke at
Tue Nov 3 16:56:27 CET 2015


On Tuesday 03 November 2015 16:34:39 you wrote:
> At Tue, 03 Nov 2015 16:10:24 +0100,
> Andre Heinecke wrote:
> > Don't we need to lookup the new key anyway to make validity decisions?
> > Until then we assume "Unknown" trust.
> In the verify case, yes.  But what about the sign case?  We just see
> that the old key has been revoked, but we don't know what the new key
> is.

I assume you mean the encrypt case (I don't see how this affects sign)? But 
still I don't see a problem there. If you don't have a valid key to encrypt 
to. You need to get a different key. How is the trust model involved in that?

Once you have that new key you can do the UID / Signature checks I suggested.


Andre Heinecke |  ++49-541-335083-262  |
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20151103/5f529109/attachment.sig>

More information about the Gnupg-users mailing list