the TOFU lie - or why I want my meat...
Neal H. Walfield
neal at walfield.org
Thu Apr 9 17:16:24 CEST 2015
I apologize for the late reply. Your arguments are well stated and I
needed some time to digest them and to do some reading and thinking of
I think it is fair to summarize your post as follows: TOFU is
significantly weaker than the Web of Trust and adoption of TOFU will
weaken the WoT. Although you provide a number of arguments that
support your claim that TOFU is weak, you didn't provide any arguments
that the WoT is significantly stronger. I think that this is where
your argument breaks down. The following are some weaknesses in the
- When you rely on the WoT, you rely on the people who made the
signatures to have done due diligence (which is itself not very
There are, however, many examples of people signing keys that they
haven't checked or checked poorly. In 2006, for instance, Martin
Krafft used a "fake" id at the DebConf KSP. Only 1 in 10 people
called him out. Here's his explanation and some reactions:
More recently (2014), Martin tweeted:
Received signatures for my #GPG key again at #DebConf14 although
I did not attend the keysigning event.
- You bring up nation states as potential threats multiple times.
This is ironic, because key signatures are typically based on
verifying government issued id. If the government wants to
infiltrate the WoT, it apparently just has to create a few fake ids
and send some agents to a Debian KSP after which they'll quickly be
in the stongly connected set and can certify any key they like.
See this note from Mike Perry (Tor Project) covering this as well
as other weaknesses in the WoT:
(He also argues for TOFU and multipath authentication.)
- In practice, the WoT is hard to use. If you endow marginal trust
in others' signatures, then it can be hard to find a good path.
The other day, I tried to verify a friend's key. Even though I
have about 100 signatures on my main key and he has 37, gpg said
his key was not trusted.
- The practical result is that exploiting the WoT is hard. You
either need to directly verify someone's identity (which isn't
really WoT), get a lot of signatures or just ignore the frequent
not trusted warnings (which I and many others often do).
- Ignoring these warning *is* a serious problem as Erinn Clark, the
release manager for Tor, has recently observed. Someone uploaded a
key with her identity to the public key servers. If people have
gotten into the bad habit of using trust=always (or ignoring the
warning), then they'll happily accept signatures from this bad key.
TOFU and its emphasis on consistency could potentially help here.
- Indeed, some well-known cryptographers, such as Peter Gutmann,
argue that continuity (i.e., TOFU) is strictly better than third
party attestations (i.e., signatures):
http://www.cypherpunks.to/~peter/T2_Key_Management.pdf (Page 8).
- The WoT suffers from the revocation problem. For instance, it
takes hours for key updates to propagate between the servers
participating in pool.sks-keyservers.net. Further, GnuPG doesn't
check for key updates automatically so the problems are actually
worse than when using PKI.
- The WoT leaks lots of information.
More information about the Gnupg-devel