TOFU code available

Bernhard Reiter bernhard at
Fri Oct 16 10:36:47 CEST 2015

Hi Neal,

good too see progress here, discussion and writeups

On Thursday 01 October 2015 at 23:17:10, Neal H. Walfield wrote:
> --tofu-default-policy is a powerful knob.  A common concern among
> security sensitive users is that TOFU is too weak, because it
> automatically trusts everyone.  But, TOFU can detect man-in-the-middle
> attacks.  Although a careful use of the WoT can also prevent such
> attacks, the WoT imposes a large overhead: secure communication is
> often not possible until a physical meeting has occured and the user
> must spend a lot of time not only collecting signatures, but also
> curating their trusted introducers (gpg --key-edit KEYID; trust).
> (Anecdotally, even those people who actively sign keys don't realize
> they have to do this.)  By setting --tofu-default-policy to unknown,
> we only use the TOFU data for negative assertions (i.e., conflicts)
> and rely on the WoT for positive assertions.  Thus, TOFU can help even
> the most paranoid without exposing them to additional risk.

My suggestion is to keep a "current state" with "current design"
document on the wiki, because it soon gets harder to keep the overview
on an email discussion. For example it took me some time scanning
to find the part above that I was more interested in as it explains
goals and parts of the motivation and reasoning about this feature.


-- (CEO) (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20151016/dd752b14/attachment.sig>

More information about the Gnupg-devel mailing list