adding TOFU/POP to GnuPG
Robert J. Hansen
rjh at sixdemonbag.org
Fri Mar 14 17:25:36 CET 2014
> One simple idea has proven quite useful in improving security in other
> protocols, but remains unimplemented in OpenPGP/GnuPG (as far as I know):
> Trust On First Use/Persistence of Pseudonym (TOFU/POP).
Googling for "TOFU/POP" doesn't turn up anything in the first two
pages of Google results that isn't associated with you. My initial
reaction is, "until it becomes more widely known, let's not do this --
GnuPG is a place for established technologies, not a place
technologies go to become established."
> * full SSH style TOFU/POP keyring: the process of adding a key to your local
> keyring marks it as trusted. signatures also mark keys as trusted
You've just made signatures effectively meaningless. The only way a
signature can have meaning is if it's on a certificate that for
whatever reason isn't part of your local keyring.
> * or a more GnuPG style: adding a key to the local keyring adds some trust,
> but not as much as a signature.
You're just redefining what "untrusted" means.
> While this does not provide as strong a verification as an OpenPGP signature
> on a key, it is also much more likely to actually happen, and does provide a
What benefit? It offers nothing that "trust-model always" doesn't.
If you want to always trust certificates in your keyring, then set
your gpg.conf accordingly.
More information about the Gnupg-devel