TOFU - motivation

Christoph Anton Mitterer calestyo at scientia.net
Tue Mar 31 21:14:05 CEST 2015


On Tue, 2015-03-31 at 20:26 +0200, Neal H. Walfield wrote: 
> I'm thinking about how to implement trust on first use (TOFU) in
> GnuPG.  In this note, I want to lay the ground work.  This is probably
> uncontroversial, but I think it is important to state it explicitly.
Actually TOFU can be quite controversially discussed.

Especially since TOFU *if at all* has just benefits for "improving"
security of anonymous communication.
It would completely break the security of things like package signature
verification, if any new keys would be trusted on first use.

If anything special for this should be implemented in GnuPG, it
shouldn't become default in order not to break expected behaviour.



> TOFU is good for checking an association between an identity (in our
> case, an email address)
Actually, the identity should typically be the name and less the
address, since the later can change at any time, in many cases even if
the owner doesn't want to.


>  and a key.  The idea is the following.  The
> first time that we observe a message from a particular email address,
> we record the email and the key.  After that, each time we receive a
> message, we check that the same key is used.  If not, then we issue a
> warning and the user can decide what to do.
I don't see much difference to current behaviour.
What your scenario misses (or silently assumes) is the "T" in TOFU, i.e.
the "Trust".
Trust, in GnuPG is typically gained by signing another key (well not
exactly but usually the two are connected).
And I defenitely wouldn't want to have any other keys signed nor trusted
just because and email with them pops up.

But *if* you seriously consider that to be desirable (and notice that it
would be even weaker than X.509's strict hierarchical PKI, since in that
case you may trust keys/IDs for which *no* verification has been made at
all - in contrast to X.509 where at least "something" is claimed to be
done by the CAs)... than nothing keeps you from doing it now in GPG.
Just sign and/or trust every public key as soon as you encounter it. 


> Second, there is an active MITM attack.  TOFU can detect this if the
> MITM is not always successful.
But TOFU can generally not attack when the MitM runs from the beginning
on, which is the weak point on it, making it basically fully anonymously
authenticated.


> There are two convincing reasons to implement TOFU
Hehe "convincin" and "TOFU" are for me mutually exclusive ;)

>  in GnuPG and not in
> the user's MUA.
As said before, this would break the security assumptions of countless
of programs relying on GnuPG providing strong and authenticated (in
contrast to anonymously authenticated) security.


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: </pipermail/attachments/20150331/85561df0/attachment.bin>


More information about the Gnupg-devel mailing list