On 07/06/17 11:04, Peter Lebbing wrote: > On 06/06/17 20:12, Stefan Claas wrote: >> Is TOFU verifying the email address from the from: header of the message >> and then compares it with the email address in the UID? > > Yes.
Actually, that's not really correct. It also works without a From:. I don't know the details by heart, and I spoke too easily. TOFU verifies the consistency of the binding between a key and the e-mail address in a UID. So if so far you've seen a particular key being used for signatures from <j...@example.org> and suddenly it's signed by a different key that also has an e-mail address <j...@example.org>, TOFU will alert you that this is not what it expected to see. Your e-mail client can also verify the consistency between the UID and the From:, but GnuPG primarily checks the consistency of the mapping between key and UID on the key. And it also works on the command line, where no From: is available. It will not alert you of similar-looking e-mail addresses, since this is really hard to solve, but the statistics printed will hopefully make you notice that even though you should see "10 signatures verified in the past month", it suddenly says "0 signatures verified so far" and this tells you it is not the same key as before. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
