PGP Web of Trust Explained
How the OpenPGP web of trust works — key signing, trust levels, and the keyserver ecosystem.
Published:
Tags: PGP web of trust, GPG key signing trust, PGP keyserver
PGP Web of Trust Explained The PGP web of trust is the OpenPGP ecosystem's answer to a fundamental question: how do you know that a public key actually belongs to the person claiming to own it? Without a central certificate authority, PGP uses a network of mutual key signings where trust is delegated through people you already trust. --- How do I use The Trust Problem in Asymmetric Cryptography? When you encrypt a message to , you need Alice's public key. But anyone can upload a key to a keyserver claiming to be Alice. The web of trust provides a mechanism for assessing whether a key genuinely belongs to Alice. Two distinct concepts: Validity: Is this key actually owned by alice@example.com? Trust: Do you trust Alice to vouch for other people's keys? How Key Signing Works? Key signing is…
Frequently Asked Questions
What is the PGP web of trust?
The PGP web of trust is a decentralized identity verification system for OpenPGP keys. Instead of relying on a central Certificate Authority (like HTTPS), PGP users sign each other's keys to vouch for them. If Alice trusts Bob, and Bob has signed Carol's key, Alice may inherit some trust in Carol's key. Trust propagates through a network of key signatures.
How do I sign someone's PGP key?
First, verify their identity out-of-band (in person or by comparing fingerprints over a trusted channel). Then: `gpg --sign-key their@email.com` (creates a local signature) or `gpg --lsign-key` for a non-exportable local signature. To publish the signature: `gpg --keyserver keys.openpgp.org --send-keys THEIR_KEY_ID`. They should download the newly-signed version with `gpg --recv-keys`.
What is a keyserver?
A keyserver is a public directory of OpenPGP public keys. Users upload their public key so others can find and download it. Major keyservers include keys.openpgp.org (verification-required, privacy-respecting) and the SKS keyserver pool (no verification, legacy). Keyservers are not trusted for key validity — they only distribute keys; identity verification is done through the web of trust or WKD.
What is the WKD protocol for key distribution?
Web Key Directory (WKD) is a standard for publishing OpenPGP keys at a domain you control. Your public key is hosted at `https://yourdomain.com/.well-known/openpgpkey/hu/<hash>`. GPG and ProtonMail can automatically look up keys via WKD: `gpg --auto-key-locate wkd --locate-keys name@yourdomain.com`. WKD is increasingly preferred over keyservers for automatic key discovery.
Is the PGP web of trust still used?
The classic SKS-based web of trust (key signing parties, strongly connected set) has declined. Keyserver spam attacks in 2019 (certificate flooding) broke SKS servers for many users. However, the underlying concept — signing keys after identity verification — remains valid. Modern usage tends toward direct key exchange, WKD, and verification-required keyservers like keys.openpgp.org rather than the classic web of trust model.
All articles · theproductguy.in