[messaging] TOFU to ease PGP key discovery

Ben Harris mail at bharr.is
Mon Feb 9 05:54:03 PST 2015

> Do you have some heuristics for picking the best key, and if so, could
> an adversary game those heuristics to get the sender to pick a key
> published by the adversary?

I'd assume the timestamp would be used to break ties. And they discount the
attacker that makes a false key because "they wouldn't be able to receive
the emails anyway".

I hope users are encouraged to use the long fingerprint when verifying keys
as creating a false key with a selected short fingerprint is trivial (see
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150209/28003fe5/attachment.html>

More information about the Messaging mailing list