The first time I encountered the concept of a web of trust I was perusing the “Gnu Privacy Handbook” as any good privacy advocate would do. At the time that document was written in the late 1990s, PGP in email was a niche topic shared among security experts and enthusiasts, and while it is still widely used today, we normally expect end-to-end encryption to be taken care of for us. PGP, like Bitcoin, is made possible by public key cryptography. Initially, I assumed basic cryptography was enough to authenticate and prevent tampering of communications, so I was a bit taken aback to discover that a web of trust was integral to the process of sharing keys. Why would this be?
Consider this concrete example. You download a piece of software. You’re encouraged to also obtain a cryptographically signed file corresponding to the software release. You can verify the download is authentic by confirming the signature was produced by the developer’s public key. However, this still leaves one very important question: How do we know we have the correct developer’s public key and not an…
