web of trust : Java Glossary

2009-03-20 by Roedy Green ©1996-2009 Canadian Mind Products
index page for letter ⇒ punctuation 0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z (all)

web of trust

A scheme in PGP encryption to verify that a given public key truly belongs to who it claims to. The problem in PGP is all certificates are self-signed. There is no certificate authority company who verifies identities or issues certificates. Basically individual users verify other people’s public keys attesting to that fact by digitally signing with their private key. Based on who you trust to verify others, you can compute a level of assurance about the owner of any presented given key. As your key acquires more and more endorsements, the more trustworthy it becomes, and the more trustworthy endorsements made with that key become. The problem the web of trust attempts to solve is somebody could easily set up a PGP key in your name, and pretend to be you, or set up an account under a completely fictitious name. He would have difficulty getting other reputable people to sign his key.

PGP public keys, with their attached validation signatures, are distributed primarily via public keyservers and secondarily via the websites of the key owners.

Key Signing Party

A key-signing party requires at least two people.

Prior to attending, you print out the fingerprints of your own various keys, and of the people whose keys you plan to verify. In EnigMail you view the key properties to find the fingerprint. This is not secret. For example my fingerprint for is B452 0372 6F10 2713 4FF5 7AE1 945A 4DDA BC35 BEDB. With GnuPG, you can find out fingerprints with:

gpg --fingerprint key-id

When we meet, we verify everyone’s fingerprints, making sure that your copy of my public key and my copy of your public key are both correct.

We show each other id to convince each other we are who we claim to be.

Once we return home with verified key signatures, we import the keys if we don’t already have them, the we sign each others’ verified keys

gpg --edit-key key-id
sign

It’s discouraged to bring your own laptop, diskettes, CDs, flash drives etc. to a key signing, especially for a mass key-signing party, where they are generally forbidden. This is to ensure that there’s no shoulder-surfing or keylogging of pass phrases. All that's required is our key fingerprints, which are cryptographically-sufficiently unique to verify the key.

Once keys are cross-signed, upload them to public key servers (with the attached endorsements), and upload any online copies you have on your website. That way anyone fetching your key will get the endorsements as well. You upload both your own public keys and the public keys of others you have signed. The web database will merge the endorsements from various sources.

Additionally, if you have multiple keys, cross-sign them with each other. That way, someone who has acquired a verified key for one of your email address automatically has verified copies of your other addresses.

You can then download your own public keys to get copies of the recent endorsements. See GnuPG for details on how you disseminate your public keys.

certificate
disseminating your public keys
EnigMail
GnuPG
key-signing party how-to
list of PGP keyservers
PGP

	Please email your feedback for publication, errors, omissions, broken/redirected link reports and suggestions to improve this page to Roedy Green :
	Canadian Mind Products
	mindprod.com IP:[65.110.21.43]
	Your face IP:[38.103.63.58]
	You are visitor number 7,303.
	You can get a fresh copy of this page from:	or possibly from your local J: drive (Java virtual drive/mindprod.com website mirror)
	http://mindprod.com/jgloss/weboftrust.html	J:\mindprod\jgloss\weboftrust.html