Question for app developers, like Enigmail etc. - Identicons
stefan.claas at posteo.de
Wed Jun 7 13:49:15 CEST 2017
Am 07.06.2017 um 13:21 schrieb Peter Lebbing:
> On 07/06/17 11:04, Peter Lebbing wrote:
>> On 06/06/17 20:12, Stefan Claas wrote:
>>> Is TOFU verifying the email address from the from: header of the message
>>> and then compares it with the email address in the UID?
> Actually, that's not really correct. It also works without a From:. I
> don't know the details by heart, and I spoke too easily. TOFU verifies
> the consistency of the binding between a key and the e-mail address in a
> UID. So if so far you've seen a particular key being used for signatures
> from <jim at example.org> and suddenly it's signed by a different key that
> also has an e-mail address <jim at example.org>, TOFU will alert you that
> this is not what it expected to see.
Thanks, that's what i assumed.
> It will not alert you of similar-looking
> e-mail addresses, since this is really hard to solve, but the statistics
> printed will hopefully make you notice that even though you should see
> "10 signatures verified in the past month", it suddenly says "0
> signatures verified so far" and this tells you it is not the same key as
In Enigmail with the blue and green bar (without showing statistics) it
would simply mean
that it switches from green to blue, right?
More information about the Gnupg-users