[messaging] TOFU to ease PGP key discovery

Tankred Hase tankred at whiteout.io
Mon Feb 9 06:03:37 PST 2015

Hi Michael,

for GET requests our keyserver just acts as a proxy to HKP servers like so:


If I understand the HKP protocol correctly this gives us the most recent key. I've tested this and have thus far received a sane response in most cases. E.g. I'm using Whiteout Mail right now and got the following key for you:

E64F 19EB BBE8 6AA9 7AF3 6FD5 1104 4FD1 9FC5 27CC

I agree that this will not always work though. Specifically if someone uploads a fake key for you. I'm not sure if the HKP servers use certain heuristics on their side to decide which key to give me (e.g. the key with the most signatures). But according to the threat model we describe in our blog, this is regarded as a "targeted attack". To correct this users can manually lookup keys in the contacts menu in Whiteout Mail. 

In the user-labs we have conducted internally, this has worked well enough up until now. Our findings were that non-pgp users that are not very tech-savvy were able to send encrypted mails to experienced GPG users without having to fully understand how things work under the hood.

Like the post states there is obviously a trade-off in terms of security here, but the goal with our approach is to get new users using PGP that would previously have failed with something like GPGtools or Enigmail. This is also the market we are trying to address right now.


Monday, Feb 9, 2015 2:19 PM Michael Rogers wrote:
> Hi Tankred,
> What happens if the sender finds more than one key for the recipient?
> Many PGP users (including myself) have published more than one key
> over the years, and haven't always revoked their obsolete keys.
> Do you have some heuristics for picking the best key, and if so, could
> an adversary game those heuristics to get the sender to pick a key
> published by the adversary?
> Cheers,
> Michael
> On 09/02/15 08:58, Tankred Hase wrote:
>> Hi,
>> we've added HKP key server support to Whiteout Wail and have
>> written a post about usability. Though I'd share it here:
>> https://blog.whiteout.io/2015/02/06/making-pgp-key-management-invisible-so-johnny-can-encrypt/
>>  Thanks for any feedback!
>> Tankred

Sent from Whiteout Mail - https://whiteout.io

My PGP key: https://keys.whiteout.io/tankred@whiteout.io
Whiteout Networks GmbH c/o Werk1
Grafinger Str. 6
D-81671 München
Geschäftsführer: Oliver Gajek
RG München HRB 204479
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 528 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150209/4f436185/attachment.sig>

More information about the Messaging mailing list