Key selection order

Andrew Gallagher andrewg at
Thu Jan 14 21:06:38 CET 2016

> On 14 Jan 2016, at 19:11, NdK <ndk.clanbo at> wrote:
> Il 14/01/2016 18:04, Andrew Gallagher ha scritto:
>> ... which is why you should never use ToFU. There is no known method of
>> secure communication that does not involve out of band verification.
> I disagree.
> TOFU is what many users do anyway:

Granted. And it does provide a speed bump to a potential attacker, so is preferable to nothing. But it's not a long term solution.

> identity persistence is often more
> important than "real" identity... 

Tofu does not guarantee identity persistence. Just because your correspondence hasn't been obviously tampered with (yet) does not mean that someone hasn't been MITMing you all along and biding their time.


More information about the Gnupg-users mailing list