> Granted. And it does provide a speed bump to a potential attacker, so > is preferable to nothing. But it's not a long term solution.
Beware all absolutes. There are lots of situations in which TOFU works *just fine* as a long-term solution. Remember, the truest answer in cryptography is, "It depends a lot on the situation." I've known vedaal for what, coming up on 20 years now, vedaal? I've never used any verification for him besides TOFU. Works just fine for us. There's a decent chance it's been working for us longer than you've been alive. :) I think people have a vast misunderstanding about the TOFU threat model. If you are already under active attack by a well-funded adversary, then yes, you're screwed: don't use TOFU. But if you're not, then TOFU allows you a much easier way to build and develop your own personal Web of Trust in ways that make it much harder for an active attacker to later on subvert your communications. > Tofu does not guarantee identity persistence. Neither does the WoT. What does, for that matter? _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
