TOFU - motivation

Robert J. Hansen rjh at
Tue Mar 31 21:51:35 CEST 2015

> I'm thinking about how to implement trust on first use (TOFU) in
> GnuPG.

Don't.  Seriously.

GnuPG is a toolbox.  TOFU is a policy.  Keep 'em separated and everyone
will be happier.  That isn't to say you can't do TOFU, just don't expect
people to be cheerful about the prospect of putting policy into GnuPG.

> TOFU is good for checking an association between an identity (in our
> case, an email address) and a key.

This handwaves "identity".  I'll go so far as to say that I don't
consider an email address to be an identity -- there's absolutely no
assurance that it identifies a specific person.

That doesn't make TOFU a bad idea.  In certain contexts it makes a lot
of sense.  But let's not oversell it by claiming TOFU checks
associations between identities and certificates.

> There are two convincing reasons to implement TOFU in GnuPG and not in
> the user's MUA.

I'm completely unconvinced.

> First, we want to preserve the trust database even if
> the user changes MUAs.

No, we don't.  One email system might be TOFU, and another email system
might require strong identity checks.  Or what about the case of two
TOFU systems: should system A be required to trust the certificates
entered by system B?  They're both writing to the same GnuPG trust DB,
after all.

This is why we don't do policy in GnuPG.  :)

> Second, we want to reduce the burden on the MUA authors.

We want to reduce *unnecessary* burden.  But if you're establishing
policy, then it's up to you to develop tools to support that policy.  :)

> Implementing the logic in GnuPG has a small trade-off: it's not quite
> the right level of abstraction.

Correct.  It's not the right level to solve it at.

> For instance, if there is a mismatch, the
> MUA should dialog asking the user what to do.  This requires that
> GnuPG make an upcall to the MUA.

As it currently stands, TOFU would (should) be done at the MUA level.
When the MUA receives a message, it can call GnuPG to discover the
certificate used for signing.  If the certificate used is not what the
MUA expects, it can ask the dialog what to do: no upcall required.

In other words, you're assuming the existence of a TOFU-aware GnuPG as a
justification for why we need a TOFU-aware GnuPG.  That's just not going
to fly.  :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150331/afe7dac3/attachment.sig>

More information about the Gnupg-devel mailing list