[messaging] TOFU to ease PGP key discovery
mail at bharr.is
Mon Feb 9 05:54:03 PST 2015
> Do you have some heuristics for picking the best key, and if so, could
> an adversary game those heuristics to get the sender to pick a key
> published by the adversary?
I'd assume the timestamp would be used to break ties. And they discount the
attacker that makes a false key because "they wouldn't be able to receive
the emails anyway".
I hope users are encouraged to use the long fingerprint when verifying keys
as creating a false key with a selected short fingerprint is trivial (see
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging