[messaging] TOFU to ease PGP key discovery

Michael Rogers michael at briarproject.org
Mon Feb 9 05:19:51 PST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Tankred,

What happens if the sender finds more than one key for the recipient?
Many PGP users (including myself) have published more than one key
over the years, and haven't always revoked their obsolete keys.

Do you have some heuristics for picking the best key, and if so, could
an adversary game those heuristics to get the sender to pick a key
published by the adversary?

Cheers,
Michael

On 09/02/15 08:58, Tankred Hase wrote:
> Hi,
> 
> we've added HKP key server support to Whiteout Wail and have
> written a post about usability. Though I'd share it here:
> 
> https://blog.whiteout.io/2015/02/06/making-pgp-key-management-invisible-so-johnny-can-encrypt/
>
>  Thanks for any feedback!
> 
> Tankred
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJU2LP2AAoJEBEET9GfxSfMr0QH/1Ly69ra2zDXmmdcF6IAJSur
QP6muSg/S+OAIePuemhSblGbRn7qMfp4NgzVQ8x/2F6sMxrBD1MO9bV/PmqaPlJp
CnCRYOQ3CYpUEaiyK/Ph4j5yU+E/mCcePRXrPxjmbSCfinMC5UzS0iv1NYMX52ql
YsHYMqPt1qXLtGn1yVTl+ejMqHNbZggh1sNN/62xrZcMOBvftkz3+j9klQ30vT+G
TbV6yzs1ZsooJRfHiZCjo4QTqdRuUtIjzfW5Lo5ywuZ6/5q4U880jX4vOiTn41Nv
v9qUudsGy8gMKJauYBKa9v7scuFra00hJGD2xPvCJdn04o6Em9vMHbd/dLXkEp0=
=923S
-----END PGP SIGNATURE-----


More information about the Messaging mailing list