Ed Vielmetti wrote a very nice succinct comparison between the trust
models for PGP and PEM. There was one line that he had in his explanation
that was garbled in some typographical error, and I didn't follow it. It
alluded to "transitive trust". If Ed meant that PGP uses transitive
trust, I just wanted to say that PGP does not use transitive trust in
the sense I think most people mean. PGP requires you (the user) to
specify direct trust for anyone you designate to be an "introducer" to
certify other people's public keys. That is, if you trust Alice,
and Alice trusts Bob, PGP does not assume you trust Bob. PGP does
allow a chain of certifications between a key and you (the apex of
the pyramid), but PGP insists that this chain must consist only of
people that you trust directly yourself, in order to recognize the
validity of a key at the end of this chain. I know that doesn't sound
very clear. Maybe I should take more time to compose that in a clearer
form.
In other words-- suppose you sign Alice's key, and Alice signs Bob's
key, and Bob signs Charlie's key. PGP will only recognize that Charlie's
key is valid if and only if YOU tell PGP that you directly trust Alice
and Bob to be trusted introducers. In this example, you only need to
actually SIGN Alice's key, even though you trust both Alice and Bob
to act as introducers.
Now, in a real-world situation, it is highly likely that if you told
PGP that you trust both Alice and Bob to be trusted introducers, you
probably would not just sign Alice's key, but Bob's as well. In that
case, Alice is extraneous to this chain, since the trusted path from
Charlie to you is shorter, going only through Bob.
The following is an excerpt from the PGP User's Guide, that gives a partial
explanation of PGP's trust model. It doesn't make clear this trusted
path stuff to the extent that you guys want to know, but I'm including
it here anyway.
-Philip Zimmermann
prz(_at_)acm(_dot_)org
----------------------------------------------------------------
How Does PGP Keep Track of Which Keys are Valid?
------------------------------------------------
Before you read this section, be sure to read the above section on
"How to Protect Public Keys from Tampering".
PGP keeps track of which keys on your public key ring are properly
certified with signatures from introducers that you trust. All you
have to do is tell PGP which people you trust as introducers, and
certify their keys yourself with your own ultimately trusted key.
PGP can take it from there, automatically validating any other keys
that have been signed by your designated introducers. And of course
you may directly sign more keys yourself.
There are two entirely separate criteria PGP uses to judge a public
key's usefulness-- don't get them confused:
1) Does the key actually belong to whom it appears to belong?
In other words, has it been certified with a trusted signature?
2) Does it belong to someone you can trust to certify other keys?
PGP can calculate the answer to the first question. To answer the
second question, PGP must be explicitly told by you, the user. When
you supply the answer to question 2, PGP can then calculate the
answer to question 1 for other keys signed by the introducer you
designated as trusted.
Keys that have been certified by a trusted introducer are deemed
valid by PGP. The keys belonging to trusted introducers must
themselves be certified either by you or by other trusted
introducers.
PGP also allows for the possibility of you having several shades of
trust for people to act as introducers. Your trust for a key's owner
to act as an introducer does not just reflect your estimation of
their personal integrity-- it should also reflect how competent you
think they are at understanding key management and using good
judgment in signing keys. You can designate a person to PGP as
unknown, untrusted, marginally trusted, or completely trusted to
certify other public keys. This trust information is stored on your
key ring with their key, but when you tell PGP to copy a key off your
key ring, PGP will not copy the trust information along with the key,
because your private opinions on trust are regarded as confidential.
When PGP is calculating the validity of a public key, it examines the
trust level of all the attached certifying signatures. It computes a
weighted score of validity-- two marginally trusted signatures are
deemed as credible as one fully trusted signature. PGP's skepticism
is adjustable-- for example, you may tune PGP to require two fully
trusted signatures or three marginally trusted signatures to judge a
key as valid.
Your own key is "axiomatically" valid to PGP, needing no introducer's
signature to prove its validity. PGP knows which public keys are
yours, by looking for the corresponding secret keys on the secret
key ring. PGP also assumes you ultimately trust yourself to certify
other keys.
As time goes on, you will accumulate keys from other people that you
may want to designate as trusted introducers. Everyone else will
each choose their own trusted introducers. And everyone will
gradually accumulate and distribute with their key a collection of
certifying signatures from other people, with the expectation that
anyone receiving it will trust at least one or two of the signatures.
This will cause the emergence of a decentralized fault-tolerant web
of confidence for all public keys.
This unique grass-roots approach contrasts sharply with Government
standard public key management schemes, such as Internet Privacy
Enhanced Mail (PEM), which are based on centralized control and
mandatory centralized trust. The standard schemes rely on a
hierarchy of Certifying Authorities who dictate who you must trust.
PGP's decentralized probabilistic method for determining public key
legitimacy is the centerpiece of its key management architecture.
PGP lets you alone choose who you trust, putting you at the top of
your own private certification pyramid. PGP is for people who prefer
to pack their own parachutes.