Main Page | See live article | Alphabetical index

Web of trust

The web of trust is a concept used in PGP that competes with traditional PKI notions of using a certificate authority to establish the authenticity of a key.

PGP includes a certificate 'vetting scheme' to assist with this; it has been called a 'Web of Trust'. PGP identity certificates (which include public keys and owner information) can be 'digitally signed' by other PGP users who, by that act, are 'endorsing' the association of that public key with the person / entity listed in the certificate as its owner. PGP includes a 'vote counting' scheme which can be used to determine which public key<-->owner association a user will be willing to trust. For instance, if three partially trusted endorsers have vouched for a certificate (and so its included public key), OR if one fully trusted endorser has done so, the association in that certificate will be trusted. The parameters are user adjustable, and can be completely bypassed if a PGP user wishes. The scheme is flexible, unlike most public key infrastructure designs, and leaves the trust decision in the hands of individual users. It is not perfect and requires both caution and intelligent supervision by users. Nearly all PKI designs are much less flexible and require users to follow the 'trust endorsement' of the PKI generated certificates. Intelligence is normally neither required nor allowed. See also: Key signing party.

X.509 PKI in contrast only let's a key be signed by one party; a certificate authority. If this CA does not have a trusted key, its key itself may be signed by a different CA, all the way up to the root certificate; this root certificate is implicitly trusted and bestows trust on all certificates signed by it. Root certificates are distributed in advance by a company for internal use, and by manufacturers of browsers so that SSL pages will work without having to manually install root certificates. The CAs which own the root certificates pay for the honor, and the browser manufacturers don't check whether they in fact are trustworthy.