Question for app developers, like Enigmail etc. - Identicons

Ben McGinnes ben at
Mon Jun 5 01:05:14 CEST 2017

On Sun, Jun 04, 2017 at 10:47:56PM +0200, Stefan Claas wrote:
> I'm not yet familar with the TOFU model, but if it helps to spot a
> fake pub key imediately, in addition to the regular trust-model i
> see no reason why not.

That's pretty much exactly what it does.

TOFU stands for Trust On First Use, so even if a key is not explicitly
trusted or signed, GPG will maintain a record of the number of times a
signed message has been seen from it, associated user IDs and email
addresses and so on.  It will also report discrepancies.  It's pretty
much how most people had been unofficially handling things anyway in
order to favour encryption even with unknown parties.

It is, of course, another reason why people tend not to look back
after switching to GPG 2.1.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: </pipermail/attachments/20170605/e6bb11b5/attachment.sig>

More information about the Gnupg-users mailing list