Interesting update from GNUPG, they decided to implement TOFU in addition to
Web of Trust. Admitting that in practice and usability considered, TOFU is a
are secure trust model than the Web of Trust.
Bye bye PGP key signing parties?
> In contrast to the Web of Trust <https://en.wikipedia.org/wiki/Web_of_trust>
> (WoT), TOFU's security guarantees are rather weak. When using the WoT
> correctly, you can have high confidence that if GnuPG says a given key is
> controlled by a specific user, then it probably is. TOFU, on the other hand,
> is only able to detect when the key associated with an email address has
> changed. Despite this, TOFU will be more secure than the WoT for most users
> in practice. This is because using the WoT requires a lot of manual support,
> which most users never both with. In particular, you need to verify
> fingerprints and set the owner trust to take advantage of friend of friend
> verification.
>
> Happily you don't need to choose between TOFU and the WoT. It is possible to
> combine them using the tofu+pgp trust model. In this model, the trust level
> for a key under each model is computed and then the maximum is taken.
>
https://gnupg.org/blog/20151103-gnupg-in-october.html
<https://gnupg.org/blog/20151103-gnupg-in-october.html>
_______________________________________________
Messaging mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/messaging
