Key Discovery Made Simple
Werner Koch
wk at gnupg.org
Wed Aug 31 09:42:18 CEST 2016
On Tue, 30 Aug 2016 18:04, 3pfwunbu7j at snkmail.com said:
> Maybe add some _brief_ words about trust. We understand how
Well, I should have explained what I mean by Key Discovery:
We do key discovery to get a key for a given mail address the first time
we want to write to that address. At that point we don't have a
relationship with the recipient and thus it doesn't matter whether we
trust the key or the mail address. If we would have had a former
in-person communication we also had a chance to exchange fingerprints.
It is more important to assure that you are always talking to the same
person/mail address after the first contact. This builds up trust to
the mail address. This is the concept of trust-on-first-use (TOFU)
which we are soon going to use as default trust model for GnuPG.
Actually it will be a combination of TOFU and the Web-of-Trust
(---trust-model=tofu+pgp).
> Someone could set up an https://wernerkoch.info with a bogus key, send
> out an email impersonating Werner and pointing to that web service,
The key would not be bogus, unless it also has my mail address, which
should be unique. Given that I sign my mails (granted, too rarely on
MLs), a TOFU system can easily detect a conflict for those who are
reading GnuPG mailing lists.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
/* Join us at OpenPGP.conf <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160831/75ed6333/attachment.sig>
More information about the Gnupg-users
mailing list