Question for app developers, like Enigmail etc. - Identicons

Stefan Claas stefan.claas at
Mon Jun 5 01:17:12 CEST 2017

On 05.06.17 01:05, Ben McGinnes wrote:
> On Sun, Jun 04, 2017 at 10:47:56PM +0200, Stefan Claas wrote:
>> I'm not yet familar with the TOFU model, but if it helps to spot a
>> fake pub key imediately, in addition to the regular trust-model i
>> see no reason why not.
> That's pretty much exactly what it does.
> TOFU stands for Trust On First Use, so even if a key is not explicitly
> trusted or signed, GPG will maintain a record of the number of times a
> signed message has been seen from it, associated user IDs and email
> addresses and so on.  It will also report discrepancies.  It's pretty
> much how most people had been unofficially handling things anyway in
> order to favour encryption even with unknown parties.
> It is, of course, another reason why people tend not to look back
> after switching to GPG 2.1.

Thank you very much for your explanation! This sounds excellent!
Hope i can see this soon in GPGTools implemented too.


More information about the Gnupg-users mailing list