Key selection order

Robert J. Hansen rjh at
Thu Jan 14 19:09:20 CET 2016

> Yes, of course. I'm just wondering whether there's anything that I can
> do to increase the probability that a user who looks me up and emails me
> out of nowhere will get the right key.

Tell them to look you up by fingerprint.  Problem solved.

> This breaks the "look up key and then just use ToFU" workflow...

No, it breaks up the "grab a random certificate that claims to be mine
and just use it" workflow, which is stupid, and isn't even what the TOFU
advocates suggest.

TOFU is built on trusting certificates that are used in received mail.
If you receive a mail signed by 0xB44427C7, TOFU says "you should
probably trust this is from rjh at"

But if you don't already have the certificate, and you're looking for it
on a keyserver, TOFU says "you should really pull it down by long key ID
or fingerprint."

More information about the Gnupg-users mailing list