TOFU for GnuPG

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Fri Oct 30 13:06:14 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 29 October 2015 at 2:06:51 PM, in
<mid:878u6l93b8.wl-neal at walfield.org>, Neal H. Walfield wrote:


> When you verify a
> message from some user for the first time, GnuPG saves
> the binding between the user id (actually, the
> normalized email address) and the key.

The email address in the user-id, or the email address the message
appears to come from?

If it's the email address in the user-id, what happens if the key has
multiple UIDs covering several email addresses? Or if the user-ids
contain no readable email addresses?



> When you verify
> another message from that user, the saved bindings with
> that user's address are retrieved.  If there is at
> least one such binding, but none of them include the
> signer's key, then either the signer is using a new key
> or someone is attacking you.  In this case, GnuPG
> displays a warning and prompts you to verify the key
> and set an appropriate policy (e.g., the key should be
> considered untrusted).

How does it handle a new signing sub-key?


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

I would like to help you out. Which way did you come in?
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJWM10+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw2nkH/2CkLOat3z/DNWZB8oqVA3un
Jlt2G2EjAOjMhmKWMbw8Iw4IY2xDelWZZommxoOi4MZeBVVv7QRhS7XJyHoFmUac
4/p9Vsf9ftp82njw31RxGNZ3uDlEBVr8JnnbrXYcqT7UUvJBgd8Cnj3tZYHISI/v
UWUY2wniUT2A7wguPuDnToCVnttFRLU0fbV+1N6nE0h1nBP31yMoweKbFTosSzNF
EhPI04uQDoofvgMtNgT3qftqeGUrTi/2sjuScYzXMDbFd0H/XOGGJWpD94GOVm1j
MYYIuPwEgWnN7d6ng0cLe2KWliASu9Msb3W37il9Ws+E0d0WWjtZEJRJ5csPcH2I
vgQBFgoAZgUCVjNdQ18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45L/+AQDq9C3vMEi9vaMj7JAgktSE7feq
3dRwtzTWZd+iYWhkIwD8D4iPcInYROnoCDj9+bLEYEpZIllvfCgPqG8rzIrGlQk=
=mAZf
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list