TOFU - motivation

Robert J. Hansen rjh at
Tue Mar 31 22:15:01 CEST 2015

> b) there's no common way to do it, which means that tools which
> share the gpg keyring for e-mail don't have a common convention on
> how to collaborate in such a TOFU scheme.

Or even if they *want* to collaborate.  It's easy for me to imagine a
setup where application A doesn't trust the certifications-of-use made
by application B.

Imagine that you've got AmeriTrade and E*Trade (two major online stock
brokerages here in the U.S.).  They both need to communicate with
oversight at  However, neither one of them might be willing to
trust an introduction to oversight at made by the other one, even
if both apps exist on the same user's computer.  "Screw this, I'll only
trust oversight at if *I'm* the one putting it in the DB!"

The Web of Trust handles this by allowing people to decide their own
trusted introducers.  But for system-wide TOFU, *every* application with
write access to the DB is a trusted introducer.

That doesn't sit well with me.  It really gives me the heebie-jeebies,
to be honest.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150331/dadd5f59/attachment-0001.sig>

More information about the Gnupg-devel mailing list