TOFU

Stefan Claas stefan.claas at posteo.de
Sun Jun 25 21:42:47 CEST 2017


On Sun, 25 Jun 2017 20:09:13 +0200, Neal H. Walfield wrote:
> At Fri, 23 Jun 2017 02:07:19 +0100,
> MFPA wrote:
> > On Wednesday 21 June 2017 at 7:49:42 PM, in
> > <mid:ffb9b23c-b01b-44d0-3a75-6e5e474de196 at digitalbrains.com>, Peter
> > Lebbing wrote:-
> >   
> > > I think it's a bad UX choice to
> > > name an invalid
> > > signature "UNTRUSTED Good" and a valid signature
> > > "Good". I think it
> > > suggests they both have some credibility, which is a
> > > false suggestion.  
> > 
> > I thought "good signature" just meant the message has not been
> > altered in transit.  
> 
> Nope.  A MitM could have intercepted the message and replaced the body
> with some other signed text (text that it possibly signed with a
> "fake" key).

I asked this already in this thread, do you know what TOFU does
when a man in the middle would replace (theoretically) one of
my pub keys, modify the TOFU database , set's the Trust Level
to Ultimate and then sends a message to me. Am i correct that
even with a modified database TOFU would tell me, wait there
is already one key (the original one) on a key server and this
one is not the correct one.

Regards
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: Digitale Signatur von OpenPGP
URL: </pipermail/attachments/20170625/755c156f/attachment.sig>


More information about the Gnupg-users mailing list