the TOFU lie - or why I want my meat...

lists-gnupgdev at lists-gnupgdev at
Thu Apr 9 22:04:46 CEST 2015


fully support your analysis, Neal:

Am Thu, 09 Apr 2015 17:16:24 +0200
schrieb "Neal H. Walfield" <neal at>:

> I think it is fair to summarize your post as follows: TOFU is
> significantly weaker than the Web of Trust and adoption of TOFU will
> weaken the WoT.  Although you provide a number of arguments that
> support your claim that TOFU is weak,

I think "significantly weaker" does not apply as the two concepts are
not either-or: you can check the keys in critical situations (and in
those I would only rely on first hand verified keys anyway). Having TOFU
in that scenario by default only increases automated checks for mostof
the time where you do not care about a trust path anyway, and therefore
strengthen the overall PGP communication "quality".

And of course a WoT is not weakend if you do TOFU in addition - as long
as you do not use TOFU informations for signing

And even then, there
are enough WoT participants today which already do weak checking:

>  - When you rely on the WoT, you rely on the people who made the
>    signatures to have done due diligence (which is itself not very
>    well defined).

Exactly, and beeing more aware of people with sloppy signing policies
might actually improve the WoT even more.

And another thing, having learned a "wrong" certificate with TOFU means
would actually improve the chance to notice a conflict once another key
is seen. And then you can still research which one was the right one.
Something you do not get when you have two conflicting marginally
trusted keys otherwise (with default tools).


More information about the Gnupg-devel mailing list