Web of trust

In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and a user. It is, in some respects, an alternative to centralized PKI reliance exclusively on a certificate authority (or a hierarchy of such). As with computer networks, there are many independent webs of trust, and any user (through their identity certificate) can be a part of – and a link between – multiple webs.

Contents

1 Operation of a web of trust 2 Contrast with typical PKI 3 Web of trust problems 4 See also 5 External links 5.1 General 5.2 PGP Key Analysis 5.3 Web of Trust statistics and tools 5.4 Other trust-related tools and sites

Operation of a web of trust

All OpenPGP-compliant implementations include a certificate vetting scheme to assist with this; its operation has been termed a web of trust. OpenPGP identity certificates (which include public key(s) and owner information) can be digitally signed by other users who, by that act, endorse the association of that public key with the person / entity listed in the certificate. This is commonly done at keysigning parties.

OpenPGP-compliant implementations also include a vote counting scheme which can be used to determine which public key – owner association a user will trust while using PGP. For instance, if three partially trusted endorsers have vouched for a certificate (and so its included public key – owner binding), OR if one fully trusted endorser has done so, the association between owner and public key in that certificate will be trusted to be correct. The parameters are user-adjustable (e.g., no partials at all, or perhaps 6 partials) and can be completely bypassed if desired.

The scheme is flexible, unlike most public key infrastructure designs, and leaves trust decision(s) in the hands of individual users. It is not perfect and requires both caution and intelligent supervision by users. Essentially all PKI designs are less flexible and require users to follow the trust endorsement of the PKI generated, CA-signed, certificates. Intelligence is normally neither required nor allowed. These arrangements are not perfect either, and require both caution and care by users.

Contrast with typical PKI

In contrast, a typical X.509 PKI permits each certificate to be signed only by a single party: a certificate authority (CA). The CA's certificate may itself be signed by a different CA, all the way up to a 'self-signed' root certificate. Root certificates must be available to those who use a lower level CA certificate and so are typically distributed widely. They are for instance, distributed with such applications as browsers and email clients. In this way SSL/TLS-protected Web pages, email messages, etc. can be authenticated without requiring users to manually install root certificates. Applications commonly include over one hundred root certificates from dozens of PKIs, thus by default bestowing trust throughout the hierarchy of certificates which lead back to them. Many of these root certificates were created by companies which collapsed , e.g. as the Dot-com bubble burst. Unless those PKIs are still properly managed even so, the root certificates almost certainly should no longer be relied upon now.

Web of trust problems

The OpenPGP web of trust is essentially unaffected by such things as company failures, and has continued to function with little change. However, a related problem does occur. Users, whether individuals or organizations, who lose track of a private key can no longer cope with (i.e., decrypt) messages sent to them produced using the matching public key found in an OpenPGP certificate. Early PGP certificates did not include expiry dates, and those certificates had unlimited lives. Users had to prepare a signed cancellation certificate against the time when the matching private key was lost or compromised. One very prominent cryptographer is still getting messages encrypted using a public key for which he long ago lost track of the private key. He can't do much with those messages except discard them after notifying the sender that they were unreadable and requesting resending with a public key for which he still has the matching private key. Later PGP, and all OpenPGP compliant, certificates include expiry dates which automatically preclude such troubles (eventually) when used sensibly.

Version 3 of X.509 includes enough flexibility to support an OpenPGP-like web of trust. When applied, this is typically used to establish a mesh of higher level CAs, e.g. the US Federal Bridge CA, rather than a grassroots trust infrastructure.

A non-technical, social, difficulty with a Web of Trust like the one built into PGP/OpenPGP type systems is that every web of trust without a central controller (eg, a CA) depends on other users for trust. Those with new certificates (ie, produced in the process of generating a new key pair) will not likely be readily trusted by other users' systems, that is by those they have not personally met, until they find enough endorsements for the new certificate. This is because many other Web of Trust users will have their certificate vetting set to require one or more fully trusted endorsers of an otherwise unknown certificate (or perhaps several partial endorsers) before using the public key in that certificate to prepare messages, believe signatures, etc.

Despite the wide use of OpenPGP compliant systems and easy availability of on-line multiple key servers, it is possible in practice to be unable to readily find someone (or several people) to endorse a new certificate (eg, by comparing physical identification to key owner information and then digitally signing the new certificate). Users in remote areas or undeveloped ones, for instance, may find other users scarce. And, if the other's certificate is also new (and with no or few endorsements from others), then its signature on any new certificate can offer only marginal benefit toward becoming trusted by still other parties' systems and so able to securely exchange messages with them. Key-signing parties are a relatively popular mechanism to resolve this problem of finding other users who can install one's certificate in existing webs of trust by endorsing it.

See also

• Virtual community

External links

General

• An explanation of the PGP Web of Trust (http://www.rubin.ch/pgp/weboftrust.en.html)

PGP Key Analysis

• PGP Web of Trust Statistics (http://bcn.boulder.co.us/~neal/pgpstat/) - analysis by Neal McBurnett in 1996
• Analysis of a large OpenPGP ring (http://dtype.org/keyanalyze/) - analysis by Drew Streib in 2001-2002
• Current key analysis reports (http://keyserver.kjsl.com/~jharris/ka/) - maintained by Jason Harris

Web of Trust statistics and tools

• Wotsap - Web of trust statistics and pathfinder (http://www.lysator.liu.se/~jc/wotsap/index.html)
• The Footsie Web of Trust analysis (http://www.parisc-linux.org/~willy/wot/footsie/)
• PGP tools, pathfinder, references (http://www.cs.uu.nl/people/henkp/henkp/pgp/) from Henk P. Penning
• Individual key statistics (http://t-butter.de/gpg.php) from Thomas Butter

Other trust-related tools and sites

• Trust-forum (http://sourceforge.net/projects/trust-forum/): a project of web-based communication system that aims to include a web of trust between servers based on trust declarations between users.
• Trust Metrics Evaluation Project (http://moloko.itc.it/trustmetricswiki/moin.cgi/FrontPage) wiki.

de:Web of trust it:Web of trust