A Social Network of Trusted Keys

 

 

One of the common problems with digital key cryptography is establishing trust: how can I know it is safe to use a public key of a collegue working in a remote office, whom I've never met, to send him or her a secure message? How can I tell between a genuine key, held by the actual person I'm aiming for, and a key generated by an imposter and uploaded to a public key directory?

 

PGP and the OpenPGP standard allow users to create a "Web of Trust": by meeting in person, exchanging keys and signing eachothers keys people can establish trust. By establishing trust with a person, I establish trust, through varying degrees of separation, with other PGP users he or she trusts, and so on - this means that by signing the keys of people I trust I participate in creating a decentralized social network of trusted key holders.

So, if I trust Alice's key is genuine because I have met her and signed her key, and Alice trusts Bob's key is genuine because she has met him and signed his key, PGP will tell me I can have a relatively high level of trust in Bob's key, given that it is has been signed by a person I trust.

 

Unlike some other public-key cryptography solutions, the Web of Trust operates in a truly decentralized manner without a government or commercial entity having absolute control over who can be trusted.

 

You can read more about PGP's Web of Trust at http://en.wikipedia.org/wiki/Web_of_trust