Question for app developers, like Enigmail etc. - Identicons
ben at adversary.org
Mon Jun 5 01:05:14 CEST 2017
On Sun, Jun 04, 2017 at 10:47:56PM +0200, Stefan Claas wrote:
> I'm not yet familar with the TOFU model, but if it helps to spot a
> fake pub key imediately, in addition to the regular trust-model i
> see no reason why not.
That's pretty much exactly what it does.
TOFU stands for Trust On First Use, so even if a key is not explicitly
trusted or signed, GPG will maintain a record of the number of times a
signed message has been seen from it, associated user IDs and email
addresses and so on. It will also report discrepancies. It's pretty
much how most people had been unofficially handling things anyway in
order to favour encryption even with unknown parties.
It is, of course, another reason why people tend not to look back
after switching to GPG 2.1.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 659 bytes
Desc: not available
More information about the Gnupg-users