Web of Trust (PGP)
Let's explore how the web of trust solves the problem of a public-key infrastructure.
We'll cover the following
When using a public-key infrastructure, one has to trust at least the root certificate authorities, which means the overall system is subject to some form of centralization. An alternative approach that aspired to solve the same problem in a more decentralized way is the web of trust.
In the web of trust, there are no certificate authorities that are essentially trusted by everyone. Instead, the various parties sign each other’s public keys, thus endorsing the association of the public key with the person or entity listed in the corresponding certificate. This is done at a key signing party.
Key signing party
A key signing party is an event where people present their public keys to other people along with proofs of their identity (e.g. passports) who then digitally sign their public key. Each party can also assign a specific degree of trust to other parties, which can then be used to build a more elaborate voting scheme, as shown in the following illustration:
Alice can assign complete trust to Charlie, but only marginal trust to Bob. This means that public keys from certificates that Charlie has signed will be automatically trusted.
However, to trust public keys that Bob has signed, these keys must also be signed by other marginally trusted parties. This scheme is flexible, and users can adjust these thresholds accordingly. In this way, all the parties form a web of trust.
Note: OpenPGP is a standard built on the concept of the web of trust.
Get hands-on with 1400+ tech skills courses.