Question for app developers, like Enigmail etc. - Identicons

Peter Lebbing peter at
Wed Jun 7 13:21:44 CEST 2017

On 07/06/17 11:04, Peter Lebbing wrote:
> On 06/06/17 20:12, Stefan Claas wrote:
>> Is TOFU verifying the email address from the from: header of the message
>> and then compares it with the email address in the UID?
> Yes.

Actually, that's not really correct. It also works without a From:. I
don't know the details by heart, and I spoke too easily. TOFU verifies
the consistency of the binding between a key and the e-mail address in a
UID. So if so far you've seen a particular key being used for signatures
from <jim at> and suddenly it's signed by a different key that
also has an e-mail address <jim at>, TOFU will alert you that
this is not what it expected to see.

Your e-mail client can also verify the consistency between the UID and
the From:, but GnuPG primarily checks the consistency of the mapping
between key and UID on the key. And it also works on the command line,
where no From: is available. It will not alert you of similar-looking
e-mail addresses, since this is really hard to solve, but the statistics
printed will hopefully make you notice that even though you should see
"10 signatures verified in the past month", it suddenly says "0
signatures verified so far" and this tells you it is not the same key as



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170607/74090226/attachment.sig>

More information about the Gnupg-users mailing list