Why the Web-of-Trust doesn't work

Aleksander Demko, June, 2007

GPG and PGP advocate a "web of trust" model for the verification of public keys. In this model, the user himself builds a collection of trusted keys, who's signatures on other keys spread my trust. If I trust Bob, and Bob trusts Sally (by signing her key), then I can probably trust Sally to. Simple enough?

Except that it's a big pain in the ass and uses terminology and concepts that most users don't know or care to learn.

Users first must manually verify their first trusted peers. Technically they're supposed to voice-verify key prints or other nonsense, but most users will just trust an emailed or web downloaded key blindly. Their peers are likely to do the same. It's only a manner of time before one of these humans make a human error and introduce a bad key into the web.

Furthermore, a lot of communication is with large organizations or web sites that would never be in a "personal web of trust". I simply don't know or can know them at a personal level, yet I still must communication with them or verify their messages. For example, I don't know the people, yet I'd still like to cryto-verify my downloads from them.

I can see spy's, terrorists and the paranoid using this model, but normal users? Forget it.

The CA (Certificate Authority) model is much more user friendly. Your OS should ship with a bare number of default keys (for Ubuntu, a bunch of keys owned by Canonical[1]). Then your vendor should go sign the keys of a few well know email verification repositories (like the PGP Corp's Verified Key Service[2]). Domain-owning verification repositories could sign keys of domain owning sysadmins, allowing companies to do their own signing.

Basically, you have a web of trust out of the box. And once you do that, you don't care where the keys come from since you can always verify them automatically. They can be embedded in the emails, have URLs to web sites, or be taken from well known repositories, all fetched and verified automatically.

Basically, it's the web browser/https/ssl model, and it works. Let use it!