the TOFU lie - or why I want my meat...

Neal H. Walfield neal at
Thu Apr 9 17:16:24 CEST 2015

Hi Christoph,

I apologize for the late reply.  Your arguments are well stated and I
needed some time to digest them and to do some reading and thinking of
my own.

I think it is fair to summarize your post as follows: TOFU is
significantly weaker than the Web of Trust and adoption of TOFU will
weaken the WoT.  Although you provide a number of arguments that
support your claim that TOFU is weak, you didn't provide any arguments
that the WoT is significantly stronger.  I think that this is where
your argument breaks down.  The following are some weaknesses in the

 - When you rely on the WoT, you rely on the people who made the
   signatures to have done due diligence (which is itself not very
   well defined).

   There are, however, many examples of people signing keys that they
   haven't checked or checked poorly.  In 2006, for instance, Martin
   Krafft used a "fake" id at the DebConf KSP.  Only 1 in 10 people
   called him out.  Here's his explanation and some reactions:

   More recently (2014), Martin tweeted:

     Received signatures for my #GPG key again at #DebConf14 although
     I did not attend the keysigning event.

 - You bring up nation states as potential threats multiple times.
   This is ironic, because key signatures are typically based on
   verifying government issued id.  If the government wants to
   infiltrate the WoT, it apparently just has to create a few fake ids
   and send some agents to a Debian KSP after which they'll quickly be
   in the stongly connected set and can certify any key they like.

   See this note from Mike Perry (Tor Project) covering this as well
   as other weaknesses in the WoT:

   (He also argues for TOFU and multipath authentication.)

 - In practice, the WoT is hard to use.  If you endow marginal trust
   in others' signatures, then it can be hard to find a good path.
   The other day, I tried to verify a friend's key.  Even though I
   have about 100 signatures on my main key and he has 37, gpg said
   his key was not trusted.

 - The practical result is that exploiting the WoT is hard.  You
   either need to directly verify someone's identity (which isn't
   really WoT), get a lot of signatures or just ignore the frequent
   not trusted warnings (which I and many others often do).

 - Ignoring these warning *is* a serious problem as Erinn Clark, the
   release manager for Tor, has recently observed.  Someone uploaded a
   key with her identity to the public key servers.  If people have
   gotten into the bad habit of using trust=always (or ignoring the
   warning), then they'll happily accept signatures from this bad key.
   TOFU and its emphasis on consistency could potentially help here.

 - Indeed, some well-known cryptographers, such as Peter Gutmann,
   argue that continuity (i.e., TOFU) is strictly better than third
   party attestations (i.e., signatures): (Page 8).

 - The WoT suffers from the revocation problem.  For instance, it
   takes hours for key updates to propagate between the servers
   participating in  Further, GnuPG doesn't
   check for key updates automatically so the problems are actually
   worse than when using PKI.

 - The WoT leaks lots of information.



More information about the Gnupg-devel mailing list