-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Trust On First Use. It's a key-exchange method where you trust the first time you grab a key, and use that, instead of a cert-authority or anything like that. It's used for SSH iirc, though I could be wrong. The idea behind it is that unless the MITM performs a MITM the first time and every time thereafter, you'll at least notice the attack, and likely prevent it.

I was going to provide a Wikipedia link, but I couldn't seem to find one, other than this one hidden in a user page.
https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use

On 07/26/2013 09:06 AM, tz wrote:
> Sorry for being slow, but what is TOFUing?
>
> On Fri, Jul 26, 2013 at 8:27 AM, Andy Isaacson <adi@hexapodia.org <mailto:adi@hexapodia.org>> wrote:
>
>
>     I've run my primary browser with no trusted CAs, manually TOFUing
>     certificates for sites, for months on end.  It's slightly easier than
>     "view source" to use control-shift-K (in Firefox) and reload the page,
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJR8rjVAAoJED2aKxR1HF9BsDkQAOiqrPvw6ClM5mZ3zdMgzZQ1
jsyKmZMCOEUJtrlJA2LGN6ybhQ0ESCubrBD9izHOt80fTqpYoDkd27ziwGeEUw/m
h3+VATV0zr0Pr569e71sIhsRs3rlGXJfDeoyDDJrb/t+fbSDXccecIpz8uQiByb6
hAAIqFGjFSozikAtdRfbeiXGBQQD6nlzzT6/FWZ5jygX4XElRvcF/ElEfsFJ2N6+
4oRMt6irhirDzPSCFuXtbSrNXZ+GQ7k3YRt2uC6uLzHEjpatbdVw420AQlm3fEZs
IN20NTIRHlJl81sB1a37d30JjqLI35f1HbUHBBuFO25ArUnTRQoN973D6vnSAZLj
v8/LFCYM+rhpabpZ21e2kBywJoo+t1iy9506VbGNyfZV4xxxVPaBVpwmANfoK0SO
MeHXfz8sTR7wjiMc/m735GLRCZMonYcejZ0BY9wDTBC9iCjaGB+6bFgcV4cop4vt
WakfqQKp1j+qrly5sZcRZG8AWQzCGlUbEkfXuknmEVSxED0zEE6DZlnEbYOftvoG
8M1Z8hMAI+sO4mhbyDEBbsY3y+GbfyShLFmyxR82HXh7Vw/NyYjkE4Px9uoGGwPl
hTgXOTxB/teA0jpVVO96SFG1YrhCt+98LlcCAKwM/xuv5jPVp9ipz0QuyF9C3AE3
EJfQHrhI/qyfoBCklYt+
=iakG
-----END PGP SIGNATURE-----