Question for app developers, like Enigmail etc. - Identicons

Stefan Claas stefan.claas at
Wed Jun 7 13:49:15 CEST 2017

Am 07.06.2017 um 13:21 schrieb Peter Lebbing:

> On 07/06/17 11:04, Peter Lebbing wrote:
>> On 06/06/17 20:12, Stefan Claas wrote:
>>> Is TOFU verifying the email address from the from: header of the message
>>> and then compares it with the email address in the UID?
>> Yes.
> Actually, that's not really correct. It also works without a From:. I
> don't know the details by heart, and I spoke too easily. TOFU verifies
> the consistency of the binding between a key and the e-mail address in a
> UID. So if so far you've seen a particular key being used for signatures
> from <jim at> and suddenly it's signed by a different key that
> also has an e-mail address <jim at>, TOFU will alert you that
> this is not what it expected to see.
Thanks, that's what i assumed.
> It will not alert you of similar-looking
> e-mail addresses, since this is really hard to solve, but the statistics
> printed will hopefully make you notice that even though you should see
> "10 signatures verified in the past month", it suddenly says "0
> signatures verified so far" and this tells you it is not the same key as
> before.
In Enigmail with the blue and green bar (without showing statistics) it 
would simply mean
that it switches from green to blue, right?


More information about the Gnupg-users mailing list