Key Signing

In order to exchange encrypted information, or to verify signed information, using PGP, your correspondent’s public key is required.  However, you can’t just assume that a key with my name is my key; for this, you need to verify my identity in some way.

If you were to meet me in person, I could exchange key information with you; additionally, some form of trusted ID is used so that we can both be assured of each others’ identities.  Generally, some sort of government-issued ID (driver’s license, passport, etc) is used, in the assumption that we can trust the government to identify us properly.

If, however, you want to correspond with someone with whom you have never had physical contact, the web of trust is used.  The web of trust says that if you (person A) trust person B, who trusts person C (me), you can trust person C even if you’ve never met them.  This isn’t to say that you can trust them with your bank account information, but you can trust them to be who they claim to be.

However, there’s a reason that it’s called a “web” of trust and not a “line” of trust.  As a web, there are many connections between nodes.  Generally, the more paths that are between your key and another key, the better you can trust that key.  It is therefore important to exchange signatures whenever you can, but also to ensure that you verify identities properly when exchanging signatures, to avoid the web of trust collapsing.

If you are planning to visit the Victoria, BC area, drop me a line and we can arrange to exchange PGP signatures.