TOFU for GnuPG

Peter Lebbing peter at
Thu Oct 29 19:57:29 CET 2015

On 29/10/15 17:23, Daniel Baur wrote:
> isn’t it a little bit problematic that GPG now logs how often I received
> emails by someone else?

I would think that in most situations, that is not a problem. If you exclusively
use webmail, there isn't such a record directly on your computer's disk, but you
also can't use GnuPG with webmail, AFAIK. If you use a regular e-mail program
that works with GnuPG, that information is already on your disk and accessible
to the user account you run it as, so duplicating that information in the GnuPG
home directory adds nothing.

Do you know of a scenario where this information is not already available from
the e-mail program? Even if the user deletes the mail after they read it, I
wouldn't be at all surprised if this just marks the data as deleted rather than
that it scrubs the data from the disk. This would muddy the statistics, but
hardly be a security feature.

Also, you could just disable TOFU if you're worried by it, but you would lose
the functionality as well...

Maybe there's a use case for optionally not gathering these statistics if key
validity is already established through the WoT. That way, if you want to keep
the frequency of correspondence a secret, you could use the WoT to establish

An option to not gather statistics for specific keys rather calls out those keys
as interesting, and an option to disable the statistics for all TOFU keys seems
like losing a very valuable tool in assessing which key is the One Key.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list