Handling a TOFU conflict
Robert J. Hansen
rjh at sixdemonbag.org
Sat Dec 10 01:54:59 CET 2016
> Fwiw: I'm totally on werner's side reagarding homgraphic attacks because I
> currently don't see them as a threat. But I am open for arguments :-)
I agree with you. More than that, I see this is a Bill-and-Ted problem
(so named for the movie _Bill and Ted's Excellent Adventure_):
Bill: Ted, while I agree that, in time, our band will be most
triumphant, the truth is Wyld Stallyns will never be a super
band until we have Eddie Van Halen on guitar.
Ted: Yes, Bill. But I do not believe we will get Eddie Van Halen
until we have a triumphant video.
Bill: Ted, it's pointless to have a triumphant video before we
even have decent instruments.
Ted: Well, how can we have decent instruments when we don't really
even know how to play?
Bill: That's why we need Eddie Van Halen!
Ted: And that's why we need a triumphant video!
Bill-and-Tedism is like bikeshedding, but even less productive.
Bikeshedding wastes valuable time and energy on trivia; Bill-and-Tedding
escalates trivial things to issues that block work getting done.
Insisting that theoretical attacks be mitigated is (usually)
Bill-and-Tedism. There will always be more theoretical attacks to
mitigate and as a result it'll never be deployed. On the other hand,
you can always put in the release notes, "We do not defend against this
theoretical attack. If that's a problem for you, disable this feature."
AFAIK, there are no reports of homographic attacks being used in the
wild. I personally would be overjoyed if they were: that would mean
OpenPGP's adoption had increased to the point where it was worthwhile to
make these attacks...
More information about the Gnupg-devel
mailing list