The Web of Trust
HTML-код
- Опубликовано: 11 сен 2024
- Whether we realize it or not, most people on the Internet use a hierarchical trust model every day. There's a selection of root certificates, issued by specific certificate authorities (CAs), and most websites are secured by certificates issued from these authorities.
But that's not the only trust model out there! Today, I'm going to talk about the Web of Trust, which is a trust model commonly associated with OpenPGP.
EXTRA CREDIT:
- I mentioned (very briefly) that if you needed to revoke an OpenPGP key, you hopefully had an offline revocation certificate that you could upload. The way this works is, you're supposed to create this revocation certificate when you first generate the keypair! That allows you to sign the revocation certificate while you have the keys available. You just never attach it to the key itself. In future, if you've lost the keys, you can upload the revocation that was signed previously, to show that the key owner has revoked the key and it should no longer be used.
- If you're going to store your offline revocation certificate on paper... make sure you choose a good font! I've done this. I've also had to type in the whole revocation certificate to go and upload it. It's... not fun if you've confused an O and a 0, or an I and an l, and you have to hunt through the entire certificate to find out where you made a mistake... (I highly recommend storing the certificate on a USB key or something similar, now!)
- Depending on your threat model and how secure you really want to be, you might even consider a set of keys--a master key that signs other keys, and a common key that you use for communication only (encrypting and signing messages). Then you can keep the master key offline, and only access it when you need to perform keysigning after a keysigning party (KSP) or other similar event.
