Question for app developers, like Enigmail etc. - Identicons

Stefan Claas stefan.claas at posteo.de
Wed Jun 7 11:45:45 CEST 2017


Am 07.06.2017 um 11:04 schrieb Peter Lebbing:

> On 06/06/17 20:12, Stefan Claas wrote:
>> Is TOFU verifying the email address from the from: header of the message
>> and then compares it with the email address in the UID?
> Yes.
>
>> I ask, because
>> if i would use a free form UID with no email address
> That would make it difficult.
>
>> , or i use an Anon
>> Remailer with a nym account where both email addresses are not identical.
> This doesn't seem like a problem, depending on some assumptions. In the
> usual case where you wouldn't want the two accounts linked to the same
> person, you would use two completely separate certificates, each with
> their own pseudonym with nym address.
>
> If you don't care that peole realize they belong to the same person, you
> would create two UIDs on the same key, one for each nym account.

Thank you very much for your detailed explanation!
>> I just installed modern GnuPG and used it with two inline PGP messages from
>> Usenet and i like it. :-)
> Good to hear :-).
I love the idea of TOFU and it's great that it is implemented in modern 
GnuPG. :-)
Kudos and respect to the person who had this idea!
>
>> I tried also with Enigmail under OS X but when checking the signatures here
>> from the list members i always get the blue "Untrusted Good Signature".
> Did you already enable TOFU? It needs a line in your gpg.conf. Either:
>
> trust-model tofu
>
> or
>
> trust-model tofu+pgp
Yes, i did that and it works fine in command-line mode which also shows 
me the statistics.

Regards
Stefan




More information about the Gnupg-users mailing list