TOFU for GnuPG

Hi,

Last week, I checked in the TOFU code for GnuPG.  This code will be
part of the next release.  It would be great to get some additional
testing before this happens!


Background
----------

TOFU stands for Trust on First Use and is a concept that will be
familiar to anyone who regularly uses ssh.  When you ssh to a host for
the first time, ssh asks you to verify the host's key (most people
just say yes here).  When connecting to the same host in the future,
ssh checks that the key hasn't changed.  If it has, ssh displays a
warning.

TOFU for GnuPG works similarly.  When you verify a message from some
user for the first time, GnuPG saves the binding between the user id
(actually, the normalized email address) and the key.  When you verify
another message from that user, the saved bindings with that user's
address are retrieved.  If there is at least one such binding, but
none of them include the signer's key, then either the signer is using
a new key or someone is attacking you.  In this case, GnuPG displays a
warning and prompts you to verify the key and set an appropriate
policy (e.g., the key should be considered untrusted).

In contrast to the Web of Trust (WoT), TOFU's security guarantees are
rather weak.  When using the WoT correctly, you can have high
confidence that if GnuPG says a given key is controlled by a specific
user, then it probably is.  TOFU, on the other hand, is only able to
detect when the key associated with an email address has changed.  In
other words, TOFU detects inconsistencies.

Despite this, TOFU will be more secure than the WoT for most users in
practice.  This is because using the WoT requires a lot of effort.
First, you have to actively exchange fingerprints with other users and
sign their keys.  Most people can't be bothered to take the time to do
this.  Second, in order to actually use the WoT to verify keys that
you have not directly signed, you need to tell GnuPG how much you
trust other people to correctly verify keys the keys that they sign
(i.e., you need to set the owner trust).  In practice, even fewer
people do this.  But, even if you do do this, you can only confidently
set the owner trust for people that you've actually met.  Thus, the
WoT can only really be used to verify the keys of friends of friends.
This seriously limits the number of people you can securely
communicate with.

Happily you don't need to choose between TOFU and the WoT.  It is
possible to combine them using the tofu+pgp trust model.  In this
model, the trust level for a key under each model is computed and then
the maximum is taken according to the following ordering:

  unknown < undefined < marginal < fully < ultimate < expired < never

For users who want TOFU's ability to detect conflicts, but don't like
that TOFU assigns positive (marginal) trust to new keys without
prompting, it is possible to change the default policy to unknown or
to always prompt the user for the policy for new keys using the
--tofu-default-policy option.  When setting the default policy to
unknown, the WoT will be used for all trust judgments unless TOFU
detects a conflict.


How-to
------

In general, there is no reason to use the bare tofu model.  Instead,
tofu+pgp is the recommended model.  If you've never signed a key, then
this effectively degrades back to the tofu model.

To set the trust model to tofu+pgp, add the following to your
~/.gnupg/gpg.conf file:

  trust-model tofu+pgp

If you don't want TOFU to assign positive trust to new keys by
default, then you should also add the following to your gpg.conf file:

  tofu-default-policy unknown

These and a few other new options are described in detail in the
manual (search for tofu).


There isn't much more to do.

Verifying a message works as usual:

  $ gpg2 --verify EE37CF96-6.txt
  gpg: Signature made Fri 18 Sep 2015 03:16:17 PM CEST using RSA key ID EE37CF96
  gpg: Good signature from "Testing (insecure!)" [unknown]
  gpg: Verified 5 messages signed by "Testing (insecure!)" (key: 362D 3527 F53A AD19 71AA  FDE6 5885 9975 EE37 CF96, policy: auto) in the past 42 minutes, 59 seconds.
  gpg: Warning: if you think you've seen more than 5 message signed by this key, then this key might be a forgery!  Carefully examine the email address for small variations (e.g., additional white space).  If the key is suspect, then use 'gpg --tofu-policy bad "362D 3527 F53A AD19 71AA  FDE6 5885 9975 EE37 CF96"' to mark it as being bad.

Here, the only change are a few additional messages.  First, some
statistics are displayed, namely, that we've verified 5 messages
signed by this key in the past last hour.  Further, a warning is
printed that the number of messages that we've verified is rather
small and we should be suspicious of this binding.  This information
is displayed to make it easier to recognize forged keys.

Unlike with ssh where the user types the name of the host to connect
to, an attacker is able to control the content of the user id field.
To work around the protections that TOFU offers, an attacker will use
a similarly looking, but different email address.  It's impossible to
reliably detect these forgeries.  Instead, we rely on the email client
to compare the sender with the signer and display a warning if these
don't match.  Further, we provide these statistics so that users will
become suspicious if suddenly GnuPG claims that it has only seen a
single message from a person with whom they are in regular contact.

Here we see what happens when GnuPG verifies a message and there is a
conflict:

  $ gpg2 --verify BC15C85A-1.txt
  gpg: Signature made Fri 18 Sep 2015 02:06:17 PM CEST using RSA key ID BC15C85A
  gpg: Good signature from "Testing (insecure!)" [unknown]
  Please indicate whether you believe the binding <439D 954F 18F7 9CC4 F71B  ED91 CACE D996 BC15 C85A, testing (insecure!)> is legitimate (the key belongs to the stated owner) or a forgery (bad).
 
  Known user ids associated with this key:
    Testing (insecure!) (policy: ask)
 
  Statistics for keys with the email 'testing (insecure!)':
    439D 954F 18F7 9CC4 F71B  ED91 CACE D996 BC15 C85A (this key):
      0 signed messages.
    362D 3527 F53A AD19 71AA  FDE6 5885 9975 EE37 CF96 (policy: ask):
      6 messages signed over the past 1 month.
 
  Normally, there is only a single key associated with an email address.  However, people sometimes generate a new key if their key is too old or they think it might be compromised.  Alternatively, a new key may indicate a man-in-the-middleattack!  Before accepting this key, you should talk to or call the person to make sure this new key is legitimate.
 
  (G)ood/(A)ccept once/(U)nknown/(R)eject once/(B)ad? g
  gpg: Verified 0 messages signed by "Testing (insecure!)" (key: 439D 954F 18F7 9CC4 F71B  ED91 CACE D996 BC15 C85A, policy good).

In this case, I've marked the key as being good.


I'd appreciate any feedback regarding this new feature (both positive
and negative!).  In particular, I'm interested in learning how well
this fits into your work flow and whether or not you'll use it.

Note: GpgME has not yet been extended to support TOFU so these
messages might not be shown.


Thanks!

:) Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello,
Am 29.10.2015 um 15:06 schrieb Neal H. Walfield:
> First, some
> statistics are displayed, namely, that we've verified 5 messages
> signed by this key in the past last hour.

isn’t it a little bit problematic that GPG now logs how often I received
emails by someone else?

Sincerely,
DaB.



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi Neal,

Thanks for the heads-up on this. TOFU seems like a really big feature for
everyday use!

Out of curiosity: Does the TOFU implementation for gpg already allow for key
transition statements / is this planned for some point in the future?

Cheers,
  Johannes



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 29/10/15 17:23, Daniel Baur wrote:
> isn’t it a little bit problematic that GPG now logs how often I received
> emails by someone else?

I would think that in most situations, that is not a problem. If you exclusively
use webmail, there isn't such a record directly on your computer's disk, but you
also can't use GnuPG with webmail, AFAIK. If you use a regular e-mail program
that works with GnuPG, that information is already on your disk and accessible
to the user account you run it as, so duplicating that information in the GnuPG
home directory adds nothing.

Do you know of a scenario where this information is not already available from
the e-mail program? Even if the user deletes the mail after they read it, I
wouldn't be at all surprised if this just marks the data as deleted rather than
that it scrubs the data from the disk. This would muddy the statistics, but
hardly be a security feature.

Also, you could just disable TOFU if you're worried by it, but you would lose
the functionality as well...

Maybe there's a use case for optionally not gathering these statistics if key
validity is already established through the WoT. That way, if you want to keep
the frequency of correspondence a secret, you could use the WoT to establish
validity.

An option to not gather statistics for specific keys rather calls out those keys
as interesting, and an option to disable the statistics for all TOFU keys seems
like losing a very valuable tool in assessing which key is the One Key.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

At Thu, 29 Oct 2015 18:48:43 +0100,
Johannes Zarl-Zierl wrote:
> Out of curiosity: Does the TOFU implementation for gpg already allow for key
> transition statements / is this planned for some point in the future?

Unfortunately, it doesn't.  This is because there is currently no
standard way to communicate the id of the new key.  I've proposed a
solution for this for the next OpenPGP version, which is currently
being work on.  There appears to be some interest, but unfortunately I
haven't had time to work on that recently.

Thanks!

:) Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi Peter,

At Thu, 29 Oct 2015 19:57:29 +0100,
Peter Lebbing wrote:
I think this mostly reflects our thinking.  Thanks for the good
summary.

FWIW, we have thought of aging the data or just storing the hash of
the most recent X signatures.  But, we decided to defer that
discussion until later since it should be easy to add on.

To keep the code simple, I'd prefer to avoid adding options that few
people will use and are of questionable utility.  In particular, I
think if someone's security requirements are such that having a list
of the hashes of previously seen messages is too big of a security
risk, then they should probably just disable TOFU.  Indeed, TOFU
itself probably violates their security requirements.

Thanks!

:) Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Thu, 29 Oct 2015 17:23, [hidden email] said:

> isn’t it a little bit problematic that GPG now logs how often I received
> emails by someone else?

Well, you MUA does it already.  The IMAP server of your provider also
has this information, and, worst of all, your responsible surveillance
agency has this information at their fingertips.  Protecting mail meta
data is pretty hard and close to impossible if you do not want to leave
traces on your local machine.  For high security areas Tofu is
definitely not an option.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Thursday 29 October 2015 at 9:28:54 PM, in
<mid:[hidden email]>, Neal H. Walfield wrote:



> Unfortunately, it doesn't.  This is because there is
> currently no standard way to communicate the id of the
> new key. I've proposed a solution for this

Wouldn't a signature notation (in a self-signature) be sufficient for
this? Something like:-

[hidden email]=[fingerprint]

And for key transition statements, perhaps a second notation:-

[hidden email]=[URL]




- --
Best regards

MFPA                  <mailto:[hidden email]>

Versifiers write poems for it.
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJWM1gGXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwpLcH+wW+rpDMLZiYJnRlvEX/Eil6
V/3LvPvx0HPlY2Khe8xF9tlm+/QDhG9D3b2higZq6KEB5PAYrXIwmAUokNf9uRt2
G++ZGzRtjD1vCD97PDlwf2E7UQm3N0CM7Z8tgaGPworqXYuJJOSGVXcRP/rRQp1L
ikfFxtCgZDE9c+3VJGDTGh1Pf1dFQvnsjllh0q1pYi4nrX4ZRZ+mEfuGMJXIjLwK
2pCBf/gUQezeCUCF9XwBlGRRHdMp6o64GHJbp5aZLFqr6vvH4pn9HkMUKnY5zRnc
m2kxOstix9yrfDQckao/VThb3MKFPTNDM++lfCJK5Tc2T7fOU6EZOmeaaOL8uYyI
vgQBFgoAZgUCVjNYDV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45GhkAQCLLEsCe5cZL4XPoZF3nTIBIFyL
dycllokt1e67PovWPgEAjmYeoT0I57iQ8tOTVmq7gjslYXNaBsc/FzcVXYht8wE=
=Bnqj
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

At Fri, 30 Oct 2015 11:43:28 +0000,
MFPA wrote:
Sure.  But your point is a red herring.  There is *currently* no way
to do this.  However, the next version of the OpenPGP spec should have
a way to do this.

Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 29 October 2015 at 2:06:51 PM, in
<mid:[hidden email]>, Neal H. Walfield wrote:


> When you verify a
> message from some user for the first time, GnuPG saves
> the binding between the user id (actually, the
> normalized email address) and the key.

The email address in the user-id, or the email address the message
appears to come from?

If it's the email address in the user-id, what happens if the key has
multiple UIDs covering several email addresses? Or if the user-ids
contain no readable email addresses?



> When you verify
> another message from that user, the saved bindings with
> that user's address are retrieved.  If there is at
> least one such binding, but none of them include the
> signer's key, then either the signer is using a new key
> or someone is attacking you.  In this case, GnuPG
> displays a warning and prompts you to verify the key
> and set an appropriate policy (e.g., the key should be
> considered untrusted).

How does it handle a new signing sub-key?


- --
Best regards

MFPA                  <mailto:[hidden email]>

I would like to help you out. Which way did you come in?
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJWM10+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw2nkH/2CkLOat3z/DNWZB8oqVA3un
Jlt2G2EjAOjMhmKWMbw8Iw4IY2xDelWZZommxoOi4MZeBVVv7QRhS7XJyHoFmUac
4/p9Vsf9ftp82njw31RxGNZ3uDlEBVr8JnnbrXYcqT7UUvJBgd8Cnj3tZYHISI/v
UWUY2wniUT2A7wguPuDnToCVnttFRLU0fbV+1N6nE0h1nBP31yMoweKbFTosSzNF
EhPI04uQDoofvgMtNgT3qftqeGUrTi/2sjuScYzXMDbFd0H/XOGGJWpD94GOVm1j
MYYIuPwEgWnN7d6ng0cLe2KWliASu9Msb3W37il9Ws+E0d0WWjtZEJRJ5csPcH2I
vgQBFgoAZgUCVjNdQ18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45L/+AQDq9C3vMEi9vaMj7JAgktSE7feq
3dRwtzTWZd+iYWhkIwD8D4iPcInYROnoCDj9+bLEYEpZIllvfCgPqG8rzIrGlQk=
=mAZf
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

At Fri, 30 Oct 2015 12:06:14 +0000,
MFPA wrote:
The user ids are used.  These are authorative.  If there are N user
ids, then N bindings are maintained.

The primary key is always used in the binding.

Thanks,

:) Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi,

On Thursday 29 October 2015 22:28:54 Neal H. Walfield wrote: I don't fully understand why you need formalized transition statements.
Couldn't you just treat Key / UIDs that are signed by each other as "two valid
keys for this UID"?

So when I transition to another key I just sign it with the old key and GnuPG
can detect that and not show a warning about it?

This would also solve the problem that some users may have multiple keys with
the same UID's which are both valid.


Regards,
Andre

--
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Friday 30 October 2015 at 11:51:27 AM, in
<mid:[hidden email]>, Neal H. Walfield wrote:


> Sure.  But your point is a red herring.  There is
> *currently* no way to do this.  However, the next
> version of the OpenPGP spec should have a way to do
> this.

My point was "there is already a way to do this: use signature
notations". Is that a red herring?


- --
Best regards

MFPA                  <mailto:[hidden email]>

Don't talk unless you can improve on the silence
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJWM392XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwkd8H/1u3U7wdJ6XjB2FGcFbf0btw
1yK/xL3RqUxbnVMkVhjoUr98xdM2lm40GPTzhH0vu7CYPgI+xHfZMUJZtoSmBQLS
a+6Mp9YY7hyYrRl2SjySMpPuxpzDek62nhdqkEclQglus2ZBcnq+ACrlY1Kj9oYI
EXo0i/vMUsPck9xDh2wm+2hIR5f+BMMQk6NRaDgmP1xkktCwkJIcb7BYEEHG11G/
dTQe9QRG5jZ/kozQkmXC+5BokoQeEnHUIFmzQB2E975COH82L/V1lJ+Hj6XnODlN
PyzkjJqzT8VB7H5OQJzioctpxgthseodaZrzRmM4+E8Cv0QvkgksqEWchb47kMOI
vgQBFgoAZgUCVjN/fl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45EwdAQCp/PzcYpl0ln8sjSzNoZgNLR4j
U1S1cXg35twroWmADgEAgw6AA1MxU5YjnOS7J5lfCTD8UIhuBzhvXSvcTkZsPAQ=
=wcs+
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

At Fri, 30 Oct 2015 14:32:07 +0000,
MFPA wrote:
It's not standardized.  Sure, GnuPG could use a particular notation
for this purpose, but we want to interoperability, which is why this
should be standardized in RFC 4880bis.

Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 29 October 2015 at 2:06:51 PM, in
<mid:[hidden email]>, Neal H. Walfield wrote:



> First, some statistics are displayed, namely, that
> we've verified 5 messages signed by this key in the
> past last hour.


Would it say the same if it were not five unique messages? For
example, we read the same email five times and verified it each
time.

And would an option to limit the time period make sense? Meaning that
if the limit were set to X days, it would use the actual time period
if shorter but only say how many messages were verified in the last X
days if the binding were older. (Having thought this sounded like a
good idea, I am struggling to think of a use case.)


- --
Best regards

MFPA                  <mailto:[hidden email]>

If at first you don't succeed, destroy all evidence that you tried.
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJWNKyxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwzQgIAJ9wQnC31708MAVJKiYwug00
oNjMknrPaXrXx+OIG8Vswd4IUCkNo23O9qCXuwvXzzXhYTfhz2nc+AC2uXRD71z8
zWpc3KQeeMon9qSB7ChcVi7u0w7AR+rZXZ21nV+jyQP1E6N2R+MdygmPe2uzH6OM
WbW5RI3cqU0CNSQTZDv9lNebKoZQLFDruwYN6YiTp1NA1Q1Esr8jqYkuygS4disr
B0CWyb7mKi+wWMUfWYkMXzBUiRI1fKPVG5u9iIvi644H4+VEkGeTvzEpWhLTLAcy
66eogl3CLeM+TpfreQQ9Hl/IwB7ScnPK4EokRE/hTzz5l7cROMzIURmCHLmR2JWI
vgQBFgoAZgUCVjSsv18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45F1eAQD7dBKbkdDf2fdKcr0IliZUaLKT
qXkccpNxn13avZwCJgEAvPxXb6zAY+5n865fQ1EhVuEOTF2Jv66EJUQTDd/VUwA=
=XGow
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

At Sat, 31 Oct 2015 11:57:05 +0000,
MFPA wrote:
> > First, some statistics are displayed, namely, that
> > we've verified 5 messages signed by this key in the
> > past last hour.
>
>
> Would it say the same if it were not five unique messages? For
> example, we read the same email five times and verified it each
> time.

N is the number of unique signatures.  If you verify the message
signature multiple times, it will only count once.

> And would an option to limit the time period make sense? Meaning that
> if the limit were set to X days, it would use the actual time period
> if shorter but only say how many messages were verified in the last X
> days if the binding were older. (Having thought this sounded like a
> good idea, I am struggling to think of a use case.)

I'm sure we could do something like this, but it sounds like adding
complexity, which doesn't seem justified.

Thanks,

:) Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 31 October 2015 at 8:27:09 PM, in
<mid:[hidden email]>, Neal H. Walfield wrote:


> N is the number of unique signatures.  If you verify
> the message signature multiple times, it will only
> count once.

Cool.



> I'm sure we could do something like this, but it sounds
> like adding complexity, which doesn't seem justified.

Yes, it seemed like a great suggestion until I tried to construct in
my mind a way in which it would be useful. (I think the idea occurred
to me when I was reading the discussion about whether GnuPG logging
how often I received emails from a particular sender was problematic.)



Another thought. New signatures from a key that has long been inactive
may arouse suspicion. Perhaps it would be useful to output how long
ago was the last message verified. For example:-

"66 messages signed over the past 3 years. The last was 1 year 10
months ago."



- --
Best regards

MFPA                  <mailto:[hidden email]>

Always be on the lookout for conspicuousness
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJWNe6NXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw7PsIAKhh8R/ObXpXJfzeBoh1Jfyr
hB35bJ+7rM51nH02/z28dwXas4gqq+sHG2pK4Jv7WaW4eJ5p5OUd7JyAoc6NinoT
z8MpnxoYraAFr9oufxXmbShSEVdiMnFxC/wSLxQmJA+cc4xKbXUzY+Tf8xxQl+Tf
WU2NGPf88FIQrTsHnILcZxfICqTYzc/RXZvpkVKdUhCgs/hPxrfU18NYwThnj9k4
nZi0zWlxsySzTN6OQZzsjxSj4U1aseUbIGnU3HJQ3x6BJ62kjuE/CzaXS+1H/4wc
akxtNxBiAGJAxGhBXdFh2LnRPwp4q8X+XZZSmjocC/zldy+suPRfEEotgJ4LfpOI
vgQBFgoAZgUCVjXull8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45MPhAQCvk5UQhm4oRvDjxSui3xG2aNKG
fHL1ZkDIMtXQkiACVAD/WuAkwWTnjoDWww5X8VPcgqYs/TuHc/FL6uoLXFJL4wo=
=fBRS
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi,

At Sun, 1 Nov 2015 10:50:33 +0000,
MFPA wrote:
> Another thought. New signatures from a key that has long been inactive
> may arouse suspicion. Perhaps it would be useful to output how long
> ago was the last message verified. For example:-
>
> "66 messages signed over the past 3 years. The last was 1 year 10
> months ago."

This sounds like a good idea.  I'll add it.

Thanks,

:) Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi Andre,

At Fri, 30 Oct 2015 13:23:14 +0100,
Andre Heinecke wrote:
This could work if both keys are available locally.  If you need to
look up the new key, this is not so easy.

Another problem is that this assumes that the new key has the exact
same user ids.  Oftentimes some emails will have been dropped or the
person's name changed (e.g., marriage, new title, etc.).

Thanks,

:) Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Friday 30 October 2015 at 12:09:51 PM, in
<mid:[hidden email]>, Neal H. Walfield wrote:



> The user ids are used.  These are authorative.  If
> there are N user ids, then N bindings are maintained.

Presumably if no user-id contains a readable email address, no binding
is stored at all.



- --
Best regards

MFPA                  <mailto:[hidden email]>

Reality is nothing but a collective hunch.
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJWOMWoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwCvkIAIleMBEeFtnLDizhbWL+U3lZ
iuw/1MFvlXPxI88R45p8u7c2DyYKII78jIGL2JbJBuaE/cJ/kc/WFsArGP+lO53W
YU+7etSFyIMr15Ykn/VxgfS5hqqDLwJ5XGoxs8BHV35XZAu9SjeS+IszEDJBQ5Er
0OdlVGwTTCe+a2eGbkrv8sCy6t4b92WrvW6ag+XDYlvDNugh3w4ThXujqNvldG6r
IdW54XZNnnFjjrQwUTCh5L4lM1A87RlhEJSXLyReJ/czVYJTSO9bUvplPayzv3Qe
uuNJ69Kr2YD16e6/6yrXKkkkfP+RrlYUmhDSEREXwRbCSjay8LspUdNemd+wRaOI
vgQBFgoAZgUCVjjFrV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45AsVAP9GUe9libeqGSVR/ZsCO1VJ7qaQ
070CM1961MKO8UdXCAD/eH9JEuNZthJMZAqW9JaWq69kMYb1RqJs7w6+BNZFPAo=
=XoMO
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users