TOFU for GnuPG

Neal H. Walfield neal at
Thu Oct 29 22:38:40 CET 2015

Hi Peter,

At Thu, 29 Oct 2015 19:57:29 +0100,
Peter Lebbing wrote:
> On 29/10/15 17:23, Daniel Baur wrote:
> > isn’t it a little bit problematic that GPG now logs how often I received
> > emails by someone else?
> I would think that in most situations, that is not a problem. If you exclusively
> use webmail, there isn't such a record directly on your computer's disk, but you
> also can't use GnuPG with webmail, AFAIK. If you use a regular e-mail program
> that works with GnuPG, that information is already on your disk and accessible
> to the user account you run it as, so duplicating that information in the GnuPG
> home directory adds nothing.
> Do you know of a scenario where this information is not already available from
> the e-mail program? Even if the user deletes the mail after they read it, I
> wouldn't be at all surprised if this just marks the data as deleted rather than
> that it scrubs the data from the disk. This would muddy the statistics, but
> hardly be a security feature.

I think this mostly reflects our thinking.  Thanks for the good

FWIW, we have thought of aging the data or just storing the hash of
the most recent X signatures.  But, we decided to defer that
discussion until later since it should be easy to add on.

> Also, you could just disable TOFU if you're worried by it, but you would lose
> the functionality as well...
> Maybe there's a use case for optionally not gathering these statistics if key
> validity is already established through the WoT. That way, if you want to keep
> the frequency of correspondence a secret, you could use the WoT to establish
> validity.
> An option to not gather statistics for specific keys rather calls out those keys
> as interesting, and an option to disable the statistics for all TOFU keys seems
> like losing a very valuable tool in assessing which key is the One Key.

To keep the code simple, I'd prefer to avoid adding options that few
people will use and are of questionable utility.  In particular, I
think if someone's security requirements are such that having a list
of the hashes of previously seen messages is too big of a security
risk, then they should probably just disable TOFU.  Indeed, TOFU
itself probably violates their security requirements.


:) Neal

More information about the Gnupg-users mailing list