Question for app developers, like Enigmail etc. - Identicons

Stefan Claas stefan.claas at posteo.de
Sun Jun 4 22:47:56 CEST 2017


On 04.06.17 22:32, Kristian Fiskerstrand wrote:

> On 06/04/2017 10:25 PM, Stefan Claas wrote:
>> With Thunderbird/Enigmail (i can't speak for other apps) a user new to GnuPG
>> and and not savvy with checking email headers and not carefully checking the
>> fingerprint (he must click addionally on the Details button) and who has
>> never
>> signed a public key before would in my opinion have it easier if he would be
>> presented with an additional visual fingerprint imho, because he would
>> imediately
>> spot after the second email if the pub-key, he not yet lsigned, that
>> there is
>> something wrong.
>>
>> If the visual fingerprint would be bullet-proof it would not hurt to
>> implement
>> such a feature, imho.
> Any talk about visual inspection of consistency in fingerprint seems
> like an implementation of a TOFU model rather than an actual trust
> model? So instead of doing a manual visual inspection, you'd want the
> tofu model in gpg 2.1?
>
I'm not yet familar with the TOFU model, but if it helps to spot a fake
pub key imediately, in addition to the regular trust-model i see no
reason why not.

Regards
Stefan




More information about the Gnupg-users mailing list