TOFU + a standard or convention for validating keys with Face-To-Face verfication?
If I go to a bank or business, and as part of setting up a relationship they hand me a pamphlet printed with their Public Key Fingerprint, AND the browser shows me that fingerprint image at first use, ..... then that's pretty reliable verification, isn't it?
A standard for face-to-face TOFU checking would be in addition to the PKI infrastructure, and to facilitate a secure way to use self-signed certs.
Obviously we've never had face-to-face relationships with the likes of Paypal, Stripe, etc, and would still rely on our browser and operating system vendors to validate the chain of authority.
If I go to a bank or business, and as part of setting up a relationship they hand me a pamphlet printed with their Public Key Fingerprint, AND the browser shows me that fingerprint image at first use, ..... then that's pretty reliable verification, isn't it?