How to show TOFU / Web Key Directory trust in Mail user Agents

Andre Heinecke aheinecke at
Fri Jun 10 10:35:08 CEST 2016


I'm currently writing a plan how we will implement support for TOFU in KMail 
for signature states this is relatively clear to me. We only show a "Green" or 
Valid / Trusted signature once we have the reached the "Key with enough 
history for basic trust" state. Well actually we will probably follow what 
GpgME tells us.

But for sending I'm unsure how to handle encrypting to a recipient that does 
not have enough history for basic trust.

Currently KMail warns if a Key for a UID is selected where the UID Validity is 
less then Marginal. In the Future [1] we want to show an icon representation / 
and  simplified Tooltip of the Key Validity next to the Recipient entry field. 
Where  a click on the Icon would open a Details dialog with more explanations.

Unknown / key without history: Some kind of Warning / Question Mark Icon and a 
tooltip with something simple like "Security Unkown".

But the next point is where I am unsure about:
Marginal / key with too little history for basic trust: I'd like to show 
something like "Security Good" / Green check mark in that case already. 
a) Encrypting with this key means you are already protected against all 
passive attacks and just using OpenPGP is way better then sending an 
unencrypted mail.
b) We are using TOFU (Trust on _first_ Use) not TOTU (Trust on tenth use ;-) )
c) I don't know what else the user could do to increase that trust in the Tofu 
model. "Hey please send me 10 more mails before I will respond to you with all 
my secret data."

Full Details with TOFU History would be available on click in the details 
Dialog for technically interested users.

But of course this leaves you open to an attack that would prompt you to 
encrypt data to a Mail Address, sent in a signed Mail and the Reply would 
already show "Good" security as you have verified one signature from that key.

Because of this I was critisized that this is a too "relaxed" UI and that we 
should rather show some "There is no indication that this Key belongs to the 
User" warning for cases where TOFU Trust is "Key with too little history".

Which leads me to another Problem. How to show / handle the case where a Key 
was obtained from the Drafted Web Key Directory [2]. In this case there is 
already an indication that the Key belongs to the owner of the Mail account as 
the provider / web key service told us this. But in the TOFU Trust model this 
key would be handled like a key with too little history.

I think ideally such a key would be treated like a key with enough history for 
basic trust as an Attack would have been more expensive then just "tricking" 
the user into verifying one mail.

Do you have any suggestions how we should handle this in the UI? And how to 
treat Web Key Directory keys?



Andre Heinecke |  ++49-541-335083-262  |
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner	
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160610/08b48081/attachment-0001.sig>

More information about the Gnupg-devel mailing list