TOFU Design

Neal H. Walfield neal at
Tue Jul 21 13:58:16 CEST 2015

Hi Simon,

Thanks for your thoughts!

At Mon, 20 Jul 2015 23:41:54 +0200,
Simon Josefsson wrote:
> "Neal H. Walfield" <neal at> writes:
> > and, perhaps allow checking names for advanced users.  This is similar
> > to how ssh works.  Making sure the host key for a given ip address
> > doesn't change is nice for sophisticated users, but it results in a
> > lot of false positives due to wideuse of a small portion of the
> > private ip space (i.e., and dongles containing the MAC
> > address, which results in dhcp assigning the same IP to different
> > hosts.
> I'm not sure this is useful, nor that this comparison is relevant.

The point of the comparison is that like the ssh ip address check
checking the name would result in many false positives, which most
people find very annoying.  But, for the truly paranoid, this check
provides value.  Consider the following two bindings:

  - Neal H. Walfield <neal at> / KEY1
  - Neal H. Walfield <neal at> / KEY2

Just using the email address would result in a prompt for a new TOFU
entry.  Checking the name reveals a possible attack.

But, the following two are probably legitimate:

  John Smith <john.smith at>
  John Smith <jsmith at>

> > Note: it is unclear what to do when the OpenPGP User ID is not in RFC
> > 2822 form or there is no email address.
> If this is about PGP or email, I suspect to just ignore those cases?
> There is use of OpenPGP for host keys, which puts the hostname in the
> User ID, but I'm not sure this TOFU stuff is applicable to those
> use-cases.  Maybe it is though, TOFU is often used for host connections.

This is about verifying all OpenPGP messages, not just email messages.
I'm a bit confused by the first sentence in this paragraph.  Do you
mean over instead of or?  If you really mean or, can you please

The point of hostnames is a good one.  Probably if the user-id does
not appear to be a legitimate 2822 name-addr, then we should just use
the whole thing (after regularizing it).

> Have you thought about MUA considerations?  How would MUAs implement and
> use this?  How would the APIs look like?

I don't think MUAs have to be modified much at all.  Assuming they use
gpg --verify to check mails, the user just needs to set the right
trust model.  For most of the required interactions, we can simply use


:) Neal

More information about the Gnupg-devel mailing list