11

I'm studying network and system security and I came across the phrase "web of trust". From Wikipedia:

In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy of such). As with computer networks, there are many independent webs of trust, and any user (through their identity certificate) can be a part of, and a link between, multiple webs.

I want a clearer definition and some example if possible.

unor
  • 1,769
  • 1
  • 19
  • 38
Amanuel Nega
  • 215
  • 1
  • 2
  • 7

3 Answers3

13

A hierarchical public key infrastructure is when some Certification Authority (CA) issues certificates to a lot of sub-entities: the CA signs certificates to guarantee the link between an identity and the public key owned by that entity. The PKI is hierarchical in that there are few CA and each CA signs certificates for a lot of people.

In a Web of Trust, everybody is a CA. Every user signs certificates for whoever he wants.

In mathematical languages, a hierarchical PKI naturally implies an acyclic certification graph, usually a tree: trust percolates down the tree from a single root CA, or a small set of root CA. Whereas the WoT is a super-connected generic graph with cycles and many paths between any two points.

Politically, the hierarchical PKI is a military-inspired structure, with a central chain of command; while the WoT is an anarchist hippy utopia in which trust emerges semi-magically from the assembled people (or the mob, from another point of view).

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
2

Basically it's the concept of decentralising trust management: PKI infrastructure relies on a centralised third party to decide which entity is trustworthy and which one is not.

For example (PKI):

Bob is a nice guy. Everybody loves bob, and really trusts him. When someone knocks on their door, it's okay if Bob sent him - not if Alice sent that person.

A Web of Trust is something different: trust is awarded if somebody else trusts you, and you base your trust on the amount of trust other trustworthy persons put in the new one.

For example (WOT):

Bob is a nice guy. But Alice's a nice gal too. Alice trusts Bob, and Bob trusts alice. There's also a not so nice person in the bunch, Eve. A new guy arrives, John. John is trusted by Bob. If someone wants to know if John is trustworthy, he can see that John is trusted by Alice, and that none of those persons trusts Eve or is trusted by Eve. Therefore it can be fairly safe to conclude that John is trustworthy.

Source: http://en.wikipedia.org/wiki/Web_of_trust

friedkiwi
  • 186
  • 3
1

The simplest way to explain it is a bit like "6 degrees of separation". The idea with a web of trust is that you verify someone's identity and decide to trust them to trust people for you. So if I verify that Bob's certificate is actually for Bob and I verify that Charlie's certificate is from Charlie, Bob and Charlie can both verify that Dan is in fact Dan.

Now, when Dan want's to talk to me, he can provide his certificate which is trusted by both Bob and Charlie. Since I trust Bob and Charlie, I figure that it is probably a good chance Dan is actually Dan.

This works since I expect that Bob and Charlie weren't both working together and Dan had to have convinced them both that he was ok.

A web of trust is such a network of people who have verified each other's certificates and thus you can trust unknown certificates based on how many people you have verified that have established a relationship with them.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110