Are TOFU statistics used for validity or conflict resolution?

Neal H. Walfield neal at walfield.org
Fri Jun 23 12:56:09 CEST 2017


At Fri, 23 Jun 2017 12:52:48 +0200,
Peter Lebbing wrote:
> 
> [1  <text/plain; utf-8 (quoted-printable)>]
> On 23/06/17 11:14, Neal H. Walfield wrote:
> > No, both keys are set to ask.  The key with a lot of observed
> > signatures could be bad.  This could occur, if there is a MitM, but
> > the MitM has a small lapse, because, perhaps, you've used an
> > unintercepted network path to retreive the "new" signature & key.
> 
> So if I understand correctly, the "summary"/"validity" field merely
> affects the text that is displayed to the user when displaying TOFU
> statistics?

It's up to the GPG client to interpret it.  This document (authored by
Andre and me) has some recommendations for MUAs:

  https://wiki.gnupg.org/EasyGpg2016/AutomatedEncryption

:) Neal



More information about the Gnupg-users mailing list