web of trust : Java Glossary


web of trust
A scheme in PGP encryption to verify that a given public key truly belongs to who it claims to. The problem in PGP (Pretty Good Privacy) is all certificates are self-signed. There is no certificate authority company who verifies identities or issues certificates. Basically individual users verify other people’s public keys attesting to that fact by digitally signing with their private key. Based on who you trust to verify others, you can compute a level of assurance about the owner of any presented given key. As your key acquires more and more endorsements, the more trustworthy it becomes, and the more trustworthy endorsements made with that key become. The problem the web of trust attempts to solve is somebody could easily set up a PGP key in your name, and pretend to be you, or set up an account under a completely fictitious name. He would have difficulty getting other reputable people to sign his key.

PGP public keys, with their attached validation signatures, are distributed primarily via public keyservers and secondarily via the websites of the key owners.

Key Signing Party

A key-signing party requires at least two people.

Prior to attending, you print out the fingerprints of your own various keys, and of the people whose keys you plan to verify. In EnigMail you view the key properties to find the fingerprint. This is not secret. For example my fingerprint for  email Roedy Greenis B452 0372 6F10 2713 4FF5 7AE1 945A 4DDA BC35 BEDB. With GnuPG, you can find out fingerprints with:

gpg --fingerprint key-id

When we meet, we verify everyone’s fingerprints, making sure that your copy of my public key and my copy of your public key are both correct.

We show each other id to convince each other we are who we claim to be.

Once we return home with verified key signatures, we import the keys if we don’t already have them, the we sign each others’ verified keys

gpg --edit-key key-id

It’s discouraged to bring your own laptop, diskettes, CD (Compact Disc) s, flash drives etc. to a key signing, especially for a mass key-signing party, where they are generally forbidden. This is to ensure that there’s no shoulder-surfing or keylogging of pass phrases. All that’s required is our key fingerprints, which are cryptographically-sufficiently unique to verify the key.

Once keys are cross-signed, upload them to public key servers (with the attached endorsements), and upload any online copies you have on your website. That way anyone fetching your key will get the endorsements as well. You upload both your own public keys and the public keys of others you have signed. The web database will merge the endorsements from various sources.

Additionally, if you have multiple keys, cross-sign them with each other. That way, someone who has acquired a verified key for one of your email address automatically has verified copies of your other addresses.

You can then download your own public keys to get copies of the recent endorsements. See GnuPG for details on how you disseminate your public keys.

This page is posted
on the web at:


Optional Replicator mirror
of mindprod.com
on local hard disk J:

Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.
no blog for this page
Your face IP:[]
You are visitor number