OpenPGP and email: Email from beyond your Web of trust

Examine how OpenPGP works and how to confirm that the person you are communicating with over email is not legitimate, in this Chapter 8 excerpt from "PGP & GPG: Email for the Practical Paranoid," by Michael W. Lucas.

PGP & GPG: Email for the Practical Paranoid

Michael W. Lucas

216 pages; $24.95

No Starch Press

In this excerpt from Chapter 8 of PGP & GPG: Email for the Practical Paranoid, author Michael W. Lucas examines how OpenPGP works and how to expand your Web of Trust to verify that the person you are communicating with over email is not a fraud.

People across the world use OpenPGP, and you don't know all of them. Chances are that your keyring will start off populated with keys for friends and coworkers, and slowly grow as you communicate with more OpenPGP users. If you receive an encrypted email from a country on the far side of the world, however, it's quite possible that you will have nobody in common and hence you won't really be able to truly verify their identity. What do you do?

One possibility is to use only the corporate PGP keyserver and only correspond with people who use that keyserver. PGP Corporation's keyserver signs public keys after it verifies the email address they're attached to. However, OpenPGP is called "open" because anyone can implement it, and you can't control who will send you email any more than you can control who sends you postcards. I correspond with people all over the world who use OpenPGP, and quite a few have public keys that aren't even vaguely hooked into my Web of Trust. How can I trust them? Here are my three choices:

More Information

Download the full chapter to learn more about OpenPGP.

Visit our Email Security All-in-One Guide to learn how to secure email systems and maximize your email security efforts.

    • Expand my Web of Trust

    • Trace the Web of Trust to that person

  • Use the key but limit my trust of the sender

Expanding Your Web of Trust

The most correct answer is to expand your Web of Trust. Exchange signatures with more people, even people with whom you're not likely to exchange encrypted mail. More people than you suspect travel between companies, countries, continents, and cultures. Sign their keys and have them sign yours, which will embed you more deeply in the Web of Trust, making it easier for you to reach others and for others to reach you. This takes time, however, and if you receive a mysterious email you don't want to wait weeks or months to read it.

Tracing the Web of Trust

Search Google for "PGP pathfinder" and you'll find any number of websites in which you can trace the path through the Web of Trust between any two OpenPGP keys available on public keyservers. These sites use the keyid for the two keys involved (remember, the keyid is just the last eight characters of the fingerprint). The more paths that exist through different people, the more likely I am to trust that key. Having had my key signed at a couple of different keysigning parties, I would expect to have several paths to anyone in the Web of Trust. For example, suppose that after publishing this book I get an email from someone who claims to be Phil Zimmermann, the original creator of PGP. The keyid of the message sender is B2D7795E. I can grab Phil Zimmermann's public key from a keyserver, or from his Web page, but it's possible that someone uploaded a bogus key for him just to fool people like me.

I visit the Web of Trust pathfinder at (Google's first result) andenter the keyid of the message I received and my keyid. This server tells me that there are eight disjunct paths between this key and mine. In other words, my key is linked to the other key by eight different paths that have no people whatsoever in common.

For that key to be fake, the faker would have had to fool a whole lot of people. Although I have never met Phil Zimmermann, I would believe that this key is legitimate. (If the only path had been through one of my incorrigible practical joker friends, or if there had only been one path, I would have been far more suspicious and infinitely less trusting.) Most of these Web of Trust tracing programs are based on wotsap, a freely available Python program designed to trace relationships between keys. Wotsap is available at many Internet sites; if you're seriously interested in analyzing the Web ofTrust, I suggest you start there.

Want to learn more about OpenPGP? Download the full chapter to learn more about its benefits.

This was last published in June 2006

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.