[JDEV] PGP and the Web of Trust
max at quendi.de
Tue Oct 10 11:48:53 CDT 2000
judging by some early messages on the PGP key issue, I think that not
everyon knows or fully understands the PGP web of trust, so let me
explain here what it is, and why it means we can safely store keys in
the vcard or even send them along with messages (not that I would
like this to happen, as it would take to much bandwith IMHO).
First, some definitons:
a (public) key is "valid" if you know it really belongs to the person
whose name appears on it (e.g. my key is marked as belonging to "Max
Horn <max at quendi.de>"). Note: this does not tell you how to determine
if a key is valid
If you "trust" a key, it means you think that the guy who own the key
is trustworthy. If that guy signs a key, you think that the key
signed by him is valid. A key which is "trusted" must be valid first.
Note: If you know someone well, and think he's hones, you not
necessarily have to "trust" him in the sense of this definition.
Trusting someone means you think he's not only honest but also
understands the Web Of Trust and is so clever to verify any key
before signing it! If someone is honest but a bit, err, stupid, you
won't trust him on signing keys.
"Signing a key":
If you trust a key, you can mark it as such by signing it (and
possibly redistrubting it, e.g. sending it back to the keyserver
which then can add your signature to the key).
"CA" = Certification Authoriy:
A CA is a company or organizartion that has specialised on signing
other keys. TO do so, they ususally request that you come physically
to them, and show your ID card. They can then be sure your key is
valid, and will sign it (thus marking it as valid).
Now, if you encounter a key that is new to you, but is signed by a CA
you know, you can be sure it is valid (if you trust that particular
CA; if M$ opens a CA, you might decide not to trust it <g>)
How the web of trust works:
You try to get as many people & CAs as possible to sign your key.
Now, if someone wants to communicate encrypted with you, you can
email him your key. This email could be intercept to do a
"man-in-the-middle" attack of course. But just as well a keyserver
could be replaced, so getting the key from one wouldn't be much more
So, how can the guy be sure that your key is "valid" ? Simple: he
checks who signed your key. If a CA or a guy he knows signed it, he
can be sure it is valid. In reality, he propably will only accept it
as valid if two or three CAs/guys signed it, but you get the idea I
Now, what if he does not know any of the people who signed the key?
No way for him to validate your key? There is a solution of course:
he can fetch the keys of the people that signed your key. Then he can
check those, and tries to validate the new keys. If he manages to
validate enough of the new keys, he can validate your key, too.
To help you understand this, here's an example: my key is signed by
the "c't CA". c't is a big german computer magzin, and you can easily
verify their key since in each of their fortnightly issues they print
the key finger print.
But since most people in the world won't be reading c't (and not even
now it), this does not help. However, the c't key is signed by dozens
other CAs and real people. Chances are high you know&trust at least
some of the CAs signing the c't key, and thus can validate it. If you
do, you can be sure my key is valid, too (if you trust me is
It is perfectly save to store public keys in the vcard, or send them
along in messages or distribute them over your web page. It is *not*
safer to only get keys from a keyserver. The only way to validate a
key is to check who signed it, or to get it physically from someone
(this can mean differnt things: you get it on a disk from a friend;
or in the case of the c't key I can verifiy the key finger print
printed black-on-white in each issue).
I hope this clarifies the topic. Feel free to ask me if you don't
understand something. Oh, and if I made some mistakes, please forgive
me, I'm only a human and wrote this down in a hurry :)
International C/C++/Internet Development
email: <mailto:max at quendi.de>
phone: (+49) 2621-188947
More information about the JDev