| Well, TOFU is really just the model for how the chain of trust is established. In practice there isn’t really trust on first use: there’s verify the key matches what’s expected, or distribute keys out-of-band (including certs). If that verification step isn’t happening, then it’s not TOFU, it’s just blind trust. From an automation/autoscaling angle, the same thing shows up again: 1. either keys are pre-baked / distributed 2. or, something signs them at boot Signing an instance key is just another way of distributing trust. It doesn’t remove the need for a root of trust, it moves it. Certificates just add extra steps around the same underlying task. |