

TOFU, Keybase, and Other Vegan Security Choices - hlieberman
http://blog.setec.io/2015/08/08/tofu.html

======
ziedaniel1
It's possible to do a lot better than TOFU or Keybase. Andres Erbsen and I
have been working on dename, a key distribution system based on the anytrust
model: as long as at least one of the servers you rely on is good, you're
safe. See his writeup here: [https://andres.systems/blog/2015-07-22-another-
take-at-publi...](https://andres.systems/blog/2015-07-22-another-take-at-
public-key-distribution/)

------
kpcyrd
I don't think this is ready for a mass deployment yet, but have a look at
namecoin[1] and cjdns[2].

cjdns generates a keypair and maps the fingerprint of the public key to an
ipv6 address, so the ip address can be used to verify the secrecy of the
connection.

Namecoin allows you to utilize the namecoin blockchain for your dns queries,
so it's a secure way to resolve names to ip addresses.

You have to run the namecoin resolver on your local machine though.

[1]: [https://namecoin.info/](https://namecoin.info/)

[2]: [https://github.com/cjdelisle/cjdns](https://github.com/cjdelisle/cjdns)

------
hlieberman
This is the last article in the series that began with "GPG is awesome; GPG is
terrible".

------
larrysalibra
Another key distribution system is to use a key-value blockchain store based
naming model such as Blockchain ID (formerly Passcard, Onename).

[https://github.com/blockstack/blockstack/wiki/Blockchain-
ID-...](https://github.com/blockstack/blockstack/wiki/Blockchain-ID-Schema-v2)

You use the user's username (key) to look up their profile which is either
stored in the blockchain or "snapshotted" to the blockchain so that it is
tamperproof. You can store the PGP (or OTR or<insert your favorite public key
here>) public key fingerprint in the profile.

------
angry_octet
Given the problems with CAs, TLS is falling back to TOFU (public key pinning).
(At least with pinning you can trust a subset of CAs,not just leaf nodes. If I
could do that with SSH host keys it would be helpful.)

------
technomancy
Unrelated to the content, but it's very difficult to read the article with
those "st" ligatures everywhere. It gives a distinct "I just read an
introductory typography book" impression.

Edit: apparently only visible in Gecko. Wonder if it's intentional.

