On Sun, Jun 04, 2017 at 10:47:56PM +0200, Stefan Claas wrote: > > I'm not yet familar with the TOFU model, but if it helps to spot a > fake pub key imediately, in addition to the regular trust-model i > see no reason why not.
That's pretty much exactly what it does. TOFU stands for Trust On First Use, so even if a key is not explicitly trusted or signed, GPG will maintain a record of the number of times a signed message has been seen from it, associated user IDs and email addresses and so on. It will also report discrepancies. It's pretty much how most people had been unofficially handling things anyway in order to favour encryption even with unknown parties. It is, of course, another reason why people tend not to look back after switching to GPG 2.1. Regards, Ben
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
