The UX for ToFU depends on the use model. For DHCP, the use model I would
expect to be most common would be "if I have a choice between a server I
talked to before that worked, and a server whose claimed identity can't be
checked either because no authentication or because never seen before, pick
the one I've seen before that worked." So it would be interesting to
answer the question, does this make things worse or better in practice? I
think better, but I'm curious to see what sort of opprobrium will rain down
on me for putting forth that theory. :)