Web of Trust

Share Button

Web of Trust ???

On the Web, anyone can pretend to be who he/she wants.

The Web of Trust is an initiative that exists since quite a long time. The principle is pretty simple : you meet someone, you shake hands, control the Identity documents with photos, usually government issued and exchange keys to be signed.

This process was massively used for users to get their GPG/PGP keys signed. When someone grabs your key from a keyserver, he also downloads every signature that were publicly published. If one of this signature is trusted by this person, he may consider your key as trustworthy and start communicating with you using your key and trust your digital signature.

You can also associate a policy while signing a key. This defines how you process, what you check before signing someone’s key. If you want to know my policy, please follow this link.

Extension of this principle

This principle is still massively used for GPG/PGP key signing. But, it can also be leveraged in multiple domains.

Here comes Cacert. Cacert is an Australian association that wants to broaden the use of SSL certificates. Today, trusted SSL certificates are expensive. Cacert believes that, with an appropriate policy, you can develop Root CA (Root Certificate Authority, the ones that are usually embedded in your systems, browsers, …) without any expensive process.

They use this principle : a trusted group of users check the identities of new users to certify they are who they say to be. Those new users enter the Web of Trust and can now check new users to certify …

And then, when you access a website or download a code signed by a key delivered by Cacert, you know that the signature can be trusted and cannot be counterfeited.

I really suggest you take a look at their policy and their initiative. This is really interesting and, as a community driven initiative, they are really open to share their thoughts, believes, … Unfortunately, major browers and system are not willing to hear their strategy and solely rely on commercial CAs at the moment. They are currently leading a project to be integrated in Mozilla’s product (since 8 yr by the way :().

469 total views, 2 views today

Share Button