Are TOFU statistics used for validity or conflict resolution?
Neal H. Walfield
neal at walfield.org
Fri Jun 23 12:56:09 CEST 2017
At Fri, 23 Jun 2017 12:52:48 +0200,
Peter Lebbing wrote:
>
> [1 <text/plain; utf-8 (quoted-printable)>]
> On 23/06/17 11:14, Neal H. Walfield wrote:
> > No, both keys are set to ask. The key with a lot of observed
> > signatures could be bad. This could occur, if there is a MitM, but
> > the MitM has a small lapse, because, perhaps, you've used an
> > unintercepted network path to retreive the "new" signature & key.
>
> So if I understand correctly, the "summary"/"validity" field merely
> affects the text that is displayed to the user when displaying TOFU
> statistics?
It's up to the GPG client to interpret it. This document (authored by
Andre and me) has some recommendations for MUAs:
https://wiki.gnupg.org/EasyGpg2016/AutomatedEncryption
:) Neal
More information about the Gnupg-users
mailing list