[messaging] TOFU to ease PGP key discovery
Ben Harris
mail at bharr.is
Mon Feb 9 05:54:03 PST 2015
> Do you have some heuristics for picking the best key, and if so, could
> an adversary game those heuristics to get the sender to pick a key
> published by the adversary?
I'd assume the timestamp would be used to break ties. And they discount the
attacker that makes a false key because "they wouldn't be able to receive
the emails anyway".
I hope users are encouraged to use the long fingerprint when verifying keys
as creating a false key with a selected short fingerprint is trivial (see
my ABCDABCD).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150209/28003fe5/attachment.html>
More information about the Messaging
mailing list