Question for app developers, like Enigmail etc. - Identicons

Peter Lebbing peter at
Wed Jun 7 11:04:46 CEST 2017

On 06/06/17 20:12, Stefan Claas wrote:
> Is TOFU verifying the email address from the from: header of the message
> and then compares it with the email address in the UID?


> I ask, because
> if i would use a free form UID with no email address

That would make it difficult.

>, or i use an Anon
> Remailer with a nym account where both email addresses are not identical.

This doesn't seem like a problem, depending on some assumptions. In the
usual case where you wouldn't want the two accounts linked to the same
person, you would use two completely separate certificates, each with
their own pseudonym with nym address.

If you don't care that peole realize they belong to the same person, you
would create two UIDs on the same key, one for each nym account.

> I just installed modern GnuPG and used it with two inline PGP messages from
> Usenet and i like it. :-)

Good to hear :-).

> I tried also with Enigmail under OS X but when checking the signatures here
> from the list members i always get the blue "Untrusted Good Signature".

Did you already enable TOFU? It needs a line in your gpg.conf. Either:

trust-model tofu


trust-model tofu+pgp

The latter combines it with the Web of Trust. See the manpage for more
info. gpg.conf is in your GnuPG homedir. I think this is ~/.gnupg by
default on OS X as well.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170607/e67e4056/attachment.sig>

More information about the Gnupg-users mailing list