1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-11-10 00:12:09 +00:00

New note: WKD and TOFU

This commit is contained in:
Rohan Kumar 2022-01-08 14:04:22 -08:00
parent ced6576343
commit 40845bd8b6
No known key found for this signature in database
GPG key ID: 1E892DB2A5F84479

View file

@ -0,0 +1,15 @@
---
title: "Wkd and TOFU"
date: 2023-01-08T14:04:22-08:00
replyURI: "https://tilde.zone/@ryan/109655653939080034"
replyTitle: "WKD is still TOFU so you should still verify out of band"
replyType: "SocialMediaPosting"
replyAuthor: "Ryan Heywood"
replyAuthorURI: "https://ryansquared.pub/"
syndicatedCopies:
- title: 'The Fediverse'
url: 'https://pleroma.envs.net/notice/ARRkGdJTzZpLF8Bz04'
---
I encourage people who fetch my keys to verify over multiple bands; for instance, they can fetch it over both Web Key Directory and DANE. They can also use something like Keyoxide to verify that it is associated with many other online accounts, perhaps including the account I was using when I first met that person. The later isn't exactly verifying "out of band", but it's super helpful.
If you're willing to do some of that (a _big_ "if": good communication protocols should make key exchange easier than this), then I'd argue that the initial leap of faith associated with Trust-On-First-Use (TOFU) is mostly a non-issue. However, PGP has its own larger set of issues that make it a poor candidate for communication protocols (complexity/configuration-hell with too many footguns, no forward secrecy, long-lived secrets, etc).