TOFU - motivation

Tue Mar 31 22:28:33 CEST 2015

Hi Christoph,

Thanks for your comments.

At Tue, 31 Mar 2015 21:14:05 +0200,
Christoph Anton Mitterer wrote:
> 
> On Tue, 2015-03-31 at 20:26 +0200, Neal H. Walfield wrote: 
> > I'm thinking about how to implement trust on first use (TOFU) in
> > GnuPG.  In this note, I want to lay the ground work.  This is probably
> > uncontroversial, but I think it is important to state it explicitly.
> Actually TOFU can be quite controversially discussed.

I guess I wasn't clear.  I realize that TOFU is controversial.  What I
was trying to say is: under the assumption that we want TOFU, my claim
was that the rest of my message is rather uncontroversial (but perhaps
that is not the case :).

> Especially since TOFU *if at all* has just benefits for "improving"
> security of anonymous communication.
> It would completely break the security of things like package signature
> verification, if any new keys would be trusted on first use.
> 
> If anything special for this should be implemented in GnuPG, it
> shouldn't become default in order not to break expected behaviour.

Absolutely.  It is not intended that TOFU become the default trust
model.  However, I think that for casual users, TOFU can provide a
benefit.  It certainly provides a benefit for OpenSSH.

> > TOFU is good for checking an association between an identity (in our
> > case, an email address)
> Actually, the identity should typically be the name and less the
> address, since the later can change at any time, in many cases even if
> the owner doesn't want to.

I'm not convinced that names are the right identifier.  It's true that
email addresses can change, but names are definately not unique.

> >  and a key.  The idea is the following.  The
> > first time that we observe a message from a particular email address,
> > we record the email and the key.  After that, each time we receive a
> > message, we check that the same key is used.  If not, then we issue a
> > warning and the user can decide what to do.
> I don't see much difference to current behaviour.
> What your scenario misses (or silently assumes) is the "T" in TOFU, i.e.
> the "Trust".

What we are trying to do is identify inconsistencies in time.  This is
more than we can do without signatures.  Clearly, direct verification
is better, but, for many users, getting signatures is too much of a
burden.  We are looking for a middle ground.

> Trust, in GnuPG is typically gained by signing another key (well not
> exactly but usually the two are connected).
> And I defenitely wouldn't want to have any other keys signed nor trusted
> just because and email with them pops up.
>
> But *if* you seriously consider that to be desirable (and notice that it
> would be even weaker than X.509's strict hierarchical PKI, since in that
> case you may trust keys/IDs for which *no* verification has been made at
> all - in contrast to X.509 where at least "something" is claimed to be
> done by the CAs)... than nothing keeps you from doing it now in GPG.
> Just sign and/or trust every public key as soon as you encounter it. 

The TOFU stuff is orthogonal to the web of trust.  When we see a key
for the first time and the user acks it, then we don't generate a
signature.

> > Second, there is an active MITM attack.  TOFU can detect this if the
> > MITM is not always successful.
> But TOFU can generally not attack when the MitM runs from the beginning
> on, which is the weak point on it, making it basically fully anonymously
> authenticated.

Yes, I said this, but you have said it more explicitly.

Thanks,

Neal