adding TOFU/POP to GnuPG
Hans-Christoph Steiner
hans at guardianproject.info
Fri Mar 14 16:10:09 CET 2014
One simple idea has proven quite useful in improving security in other
protocols, but remains unimplemented in OpenPGP/GnuPG (as far as I know):
Trust On First Use/Persistence of Pseudonym (TOFU/POP). TOFU/POP is how the
vast majority of people validate ssh host keys. The idea is to mark a key
with some degree of trust on the first use (in ssh, its full trust). Then
that creates a pseudonym for the service in question (i.e. the ssh server you
ssh'ed to) which is persisted forever.
I think that this idea would also be quite useful with OpenPGP. I can see it
two ways:
* full SSH style TOFU/POP keyring: the process of adding a key to your local
keyring marks it as trusted. signatures also mark keys as trusted
* or a more GnuPG style: adding a key to the local keyring adds some trust,
but not as much as a signature.
While this does not provide as strong a verification as an OpenPGP signature
on a key, it is also much more likely to actually happen, and does provide a
benefit. It also does not prevent users from doing stricter verification at
any time.
Comments, flames, examples?
.hc
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Gnupg-devel
mailing list