previous | start

PGP Key Management

PGP has the same difficulty as other public key systems: how to distribute keys in such a way as to avoid a successful "man-in-the-middle" attack. In commercial RSA-based products (such as SSL for Web-based E-Commerce) the solution is commercial Certificate Authorities. PGP adopts a more "low-tech" (but highly effective) approach called a Web of Trust.
 
PGP implements certificates, exactly analogous to the X.509 certificates discussed earlier -- in fact, PGP can use X.509 certificates. The PGP certificate extends to allowing multiple signatures, which allows several people to independently attest that the certificate is genuine. In the PKI slide, earlier, the trust model was hierarchic. In PGP it is cumulative -- a certificate gains authority as more people sign it. A signer for a certificate becomes an introducer for that certificate. For example, if you trust me, and I appear as an introducer of a new certificate, then you will tend to trust the certificate as well -- as in: "I trust him, and he trusts the other guy, so I guess I trust the other guy as well..." Trust becomes transitive.
 
In the early days of PGP, an initial Web of Trust was established by holding PGP signing parties, where people would identify themselves to others, and then sign their certificates. PGP also has the notion of complete trust and marginal trust, in addition to untrusted certificates.

More Information

The links in the body of this lecture were primary sources. The following might also be useful:
 
http://www.pgpi.org/doc/pgpintro/
http://world.std.com/~cme/html/web.html
http://www.rubin.ch/pgp/weboftrust.en.html
http://www.rsa.com/rsalabs/faq/
http://home.netscape.com/security/basics/index.html
http://home.netscape.com/ja/newsref/ref/internet-security.html
http://www.netcraft.co.uk/cgi-bin/Survey/sslwhats
http://pebble.bbntech.com/docs/SSL.doc.html
http://www.apacheweek.com/features/ssl
In VeriSign We Trust
 
Lecture 18: Encryption #3 -- Practical Encryption Copyright © 2003 P.Scott, La Trobe University Bendigo.

The tutorial for this lecture is Tutorial #18.
La Trobe Uni Logo [Previous Lecture] [Lecture Index] [Next Lecture]
Copyright © 2003 by Philip Scott, La Trobe University.
Valid HTML 3.2!

previous | start