Question for app developers, like Enigmail etc. - Identicons

Stefan Claas stefan.claas at
Wed Jun 7 11:45:45 CEST 2017

Am 07.06.2017 um 11:04 schrieb Peter Lebbing:

> On 06/06/17 20:12, Stefan Claas wrote:
>> Is TOFU verifying the email address from the from: header of the message
>> and then compares it with the email address in the UID?
> Yes.
>> I ask, because
>> if i would use a free form UID with no email address
> That would make it difficult.
>> , or i use an Anon
>> Remailer with a nym account where both email addresses are not identical.
> This doesn't seem like a problem, depending on some assumptions. In the
> usual case where you wouldn't want the two accounts linked to the same
> person, you would use two completely separate certificates, each with
> their own pseudonym with nym address.
> If you don't care that peole realize they belong to the same person, you
> would create two UIDs on the same key, one for each nym account.

Thank you very much for your detailed explanation!
>> I just installed modern GnuPG and used it with two inline PGP messages from
>> Usenet and i like it. :-)
> Good to hear :-).
I love the idea of TOFU and it's great that it is implemented in modern 
GnuPG. :-)
Kudos and respect to the person who had this idea!
>> I tried also with Enigmail under OS X but when checking the signatures here
>> from the list members i always get the blue "Untrusted Good Signature".
> Did you already enable TOFU? It needs a line in your gpg.conf. Either:
> trust-model tofu
> or
> trust-model tofu+pgp
Yes, i did that and it works fine in command-line mode which also shows 
me the statistics.


More information about the Gnupg-users mailing list