TOFU - motivation
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Mar 31 22:04:34 CEST 2015
On Tue 2015-03-31 15:58:29 -0400, Daniel Kahn Gillmor wrote:
> How to get there
> ================
>
> If we want to do this effectively, we need to make sure that all users
> of GnuPG understand how TOFU-style annotation, insertion, and update
> should work.
>
> This is probably work that needs doing at two levels within the GnuPG
> project itself:
>
> 0) figure out how TOFU assertions should be stored by GnuPG
>
> 1) figure out if GnuPG should offer any more-convenient interface to
> set and update these assertions (this would facilitate work by
> consumers of the GnuPG interface)
I should follow up here to point out that pretty much all of the above
seems possible to do today, maybe with the exception of accepting the
use of persona certifications. It's probably not done more widely
because:
a) doing this in an automated way is pretty clunky at the moment.
b) there's no common way to do it, which means that tools which share
the gpg keyring for e-mail don't have a common convention on how to
collaborate in such a TOFU scheme.
embedding these features to gpg itself would address these two caveats
somewhat, and could make for a more usable (and portable) mechanism.
--dkg
More information about the Gnupg-devel
mailing list