TOFU Design

Simon Josefsson simon at
Mon Jul 20 23:41:54 CEST 2015

"Neal H. Walfield" <neal at> writes:

> In conclusion: I think we should just use the regularized email
> address

I agree.  Remember that the local part is not case sensitive.

> and, perhaps allow checking names for advanced users.  This is similar
> to how ssh works.  Making sure the host key for a given ip address
> doesn't change is nice for sophisticated users, but it results in a
> lot of false positives due to wideuse of a small portion of the
> private ip space (i.e., and dongles containing the MAC
> address, which results in dhcp assigning the same IP to different
> hosts.

I'm not sure this is useful, nor that this comparison is relevant.

> Note: it is unclear what to do when the OpenPGP User ID is not in RFC
> 2822 form or there is no email address.

If this is about PGP or email, I suspect to just ignore those cases?
There is use of OpenPGP for host keys, which puts the hostname in the
User ID, but I'm not sure this TOFU stuff is applicable to those
use-cases.  Maybe it is though, TOFU is often used for host connections.

> We are going to use SQLite to store the data rather than a custom
> binary format.  SQLite is highly portable and has the nice ACID
> properties.  This should significantly simplify the implementation.

Sounds good.

Have you thought about MUA considerations?  How would MUAs implement and
use this?  How would the APIs look like?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: </pipermail/attachments/20150720/0dd72f38/attachment.sig>

More information about the Gnupg-devel mailing list