TOFU Design

Robert J. Hansen rjh at
Fri Jul 17 16:11:18 CEST 2015

> I'd like to informally present the high-level design that I'm
> working on for TOFU in GnuPG and some open questions.  I'm interested
> in feedback.  But if all you have to say is that you think TOFU is a
> bad idea, please restrain yourself.

I didn't see any discussion about the use case where there are multiple
certificates associated with an email address.  There are many people
who have such arrangements for a variety of reasons: for instance, up
until very recently I had an RSA certificate for signing Fedora RPMs, a
DSA2 certificate I used for most email, an RSA certificate I used for
testing Enigmail's smartcard support, and an ECDSA certificate I used to
test Enigmail's ECC support.

There needs to be some consideration for the case of multiple
certificates for a given email address.  It's just too commonplace to

> Should TOFU bindings be exportable?

Definitely not in 1.0.  Get a basic system bootstrapped and running, and
then revisit this issue.

More information about the Gnupg-devel mailing list