It's possible to do a lot better than TOFU or Keybase. Andres Erbsen and I have been working on dename, a key distribution system based on the anytrust model: as long as at least one of the servers you rely on is good, you're safe. See his writeup here: https://andres.systems/blog/2015-07-22-another-take-at-publi...
I don't think this is ready for a mass deployment yet, but have a look at namecoin[1] and cjdns[2].
cjdns generates a keypair and maps the fingerprint of the public key to an ipv6 address, so the ip address can be used to verify the secrecy of the connection.
Namecoin allows you to utilize the namecoin blockchain for your dns queries, so it's a secure way to resolve names to ip addresses.
You have to run the namecoin resolver on your local machine though.
Unrelated to the content, but it's very difficult to read the article with those "st" ligatures everywhere. It gives a distinct "I just read an introductory typography book" impression.
Edit: apparently only visible in Gecko. Wonder if it's intentional.
Given the problems with CAs, TLS is falling back to TOFU (public key pinning). (At least with pinning you can trust a subset of CAs,not just leaf nodes. If I could do that with SSH host keys it would be helpful.)
You use the user's username (key) to look up their profile which is either stored in the blockchain or "snapshotted" to the blockchain so that it is tamperproof. You can store the PGP (or OTR or<insert your favorite public key here>) public key fingerprint in the profile.
6 comments
[ 2.8 ms ] story [ 27.7 ms ] threadcjdns generates a keypair and maps the fingerprint of the public key to an ipv6 address, so the ip address can be used to verify the secrecy of the connection.
Namecoin allows you to utilize the namecoin blockchain for your dns queries, so it's a secure way to resolve names to ip addresses.
You have to run the namecoin resolver on your local machine though.
[1]: https://namecoin.info/
[2]: https://github.com/cjdelisle/cjdns
Edit: apparently only visible in Gecko. Wonder if it's intentional.
https://github.com/blockstack/blockstack/wiki/Blockchain-ID-...
You use the user's username (key) to look up their profile which is either stored in the blockchain or "snapshotted" to the blockchain so that it is tamperproof. You can store the PGP (or OTR or<insert your favorite public key here>) public key fingerprint in the profile.