Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

Peter Lebbing peter at digitalbrains.com
Tue Jun 6 12:46:34 CEST 2017

On 06/06/17 05:30, Duane Whitty wrote:
> As I understand the concept of TOFU (Trust On First Use), when you
> receive a signed email gpg tests that signature against the key
> retrieved from the public key servers associated with the email.

TOFU is about *consistency*. It says: this e-mail is signed by the same
key you've seen on all the earlier messages you received from this
e-mail address. It keeps count, and alerts you when all of a sudden you
start receiving signatures made by a different key.

Note that it can also be combined with the Web of Trust. You could use
TOFU just to track consistency and not award validity to keys, or you
could use TOFU to award marginal validity and obtain the remaining
validity from, e.g., marginally trusted Web of Trust signatures.

But TOFU isn't for everyone, and neither is the Web of Trust. It's your

By the way, it is my feeling Stefan Claas is looking for TOFU. The
Identicon scheme feels like TOFU with the database on external storage,
to wit, the user's brain :). Better to store that database on disk,
IMHO. The (only) net loss is that there is no synchronization between
different devices.

My Enigmail works with TOFU, although I can't see any statistics. But it
correctly awards a green bar with "Good signature" to my TOFU-verified keys.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170606/d56cc20a/attachment-0001.sig>

More information about the Gnupg-users mailing list