All Public Key Cryptography (PKI) implementations rely on trust. Before Alice sends a secret message to Bob, she must trust that the public key she is about to use actually belongs to Bob, and not to Eve. PKI implementations such as x.509, which is the standard behind SSL, TLS and S/MIME, rely on centralized Certification Authorities (CAs), who issue digital certificates stating that Bob's key actually belongs to Bob. Putting all our trust in CAs has important flaws (hackers, governments,and frequently both), which is why another PKI implementation, OpenPGP, chooses to rely instead on a "Web of Trust," where each user builds up their own trust relationships from the ground up and therefore does not rely on any central authorities. This talk will shed a light on how the OpenPGP web of trust works, covering such topics as: the distinction of key trust from key validity; the difference between ultimately, fully, and marginally trusted keys; the importance of revocation certificates; the usefulness of delegated trust in larger organizations. Basic knowledge of public key cryptography is required.
Survey this Session