> On Aug 31, 2016, at 10:46 PM, Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> wrote: > > Except for (allegedly) EV certs, the entire Web PKI runs on TOFU, > except that it happens invisibly (swept under the rug) between the > CA and the purported domain owner. > > Thus DV certs are TOFU for public consumption, where the CA gets > to regurgitate the same TOFU to feed all the relying parties. I should perhaps add that the problem with TOFU is not so much that is especially weak authentication, but rather that is much too fragile for peering to a large number of peers. When uses TOFU for SSH to a small set of servers, or to connect to a small, mostly stable set of networks, it can be a reasonable fit. When one uses TOFU with a large dynamic set of peers with keys relatively frequently becoming stale TOFU, then it becomes a rather poor user experience, and is counter-productive. -- Viktor.