TOFU (was: Question for app developers, like Enigmail etc. - Identicons)

Peter Lebbing peter at
Wed Jun 7 14:24:45 CEST 2017

On 07/06/17 13:49, Stefan Claas wrote:
> In Enigmail with the blue and green bar (without showing statistics) it
> would simply mean
> that it switches from green to blue, right?

Not necessarily!

I don't know if Enigmail checks whether the From: is equal to the key
UID, but we're talking about look-alike addresses here, not completely
equal addresses, so even that wouldn't help.

It would, depending on tofu-default-policy, potentially be marked as
Good with a green bar! It is from a new key from an e-mail address never
before seen. With the default tofu-default-policy, it would *not* be
green, because it would only get marginal validity. But with
tofu-default-policy good, it would get marked as valid because there
doesn't seem to be anything wrong with it. It's only a visual similarity
that fools the user, but a computer is an exact device and doesn't know
they look similar to you.

I hope Enigmail will add the TOFU statistics to the displayed
information. Or maybe they already did, I see that I'm using Debian
jessie's enigmail package for Enigmail, and Debian jessie/stable has
pretty old packages (well maintained, but old).



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170607/0a931b39/attachment-0001.sig>

More information about the Gnupg-users mailing list