If you care about the physical identity of someone: web of trust.
At some point, you'll have to ideally meet at least one person in the flesh to exchange keys and verify their identity. After that point, it's possible that others you are trying to communicate with might be within your web of trust. If not, you'll have to go through your keysigning procedure again.
https://www.gnupg.org/gph/en/manual/x334.html
Some organizations facilitate keysigning:
https://wiki.debian.org/Keysigning/Coordination
But that might not be necessary for you. For example, I don't necessarily care about the physical identity for some of the people I communicate with online. If I see in e-mail archives that person is using the same key to sign their mail for the past N years, I'll use that key to encrypt to them. Similarly with commit signing and such. In that case, I just care that my message is reaching the intended recipient.
I communicate with a number of GNU hackers. Package maintainers upload their signing keys to Savannah, and sign each of their releases with that key. If I simply want to know that my message is reaching that maintainer, I can get the key that way.
But if I want to know that I'm actually speaking to the person that the maintainer _claims_ to be, I'd want to use the web of trust. They could very well be an imposter!
> After that point, it's possible that others you are trying to communicate with might be within your web of trust.
The problem with the web of trust is that it simply doesn't work: the fact that I know you means nothing about whether I trust you to vouch for others. The fact that I trust you to vouch for employees of Acme Widgets means nothing about whether I trust you to vouch for members of the a political party.
PGP's usable despite the fact that the Web of Trust is kinda a misfeature.
If you don't trust that individual to vouch for others then they are treated differently in your web of trust: set their trust level to "none".
If you refuse to place trust in anyone, then no, the web of trust will not work for you. But it works for many others; it doesn't make it broken. The purpose of key signing is to verify that a person is legitimately who they claim to be---_that_ is what you are trusting in your web of trust: that someone has verified their identity in a means consistent with accepted protocols.
If enough people say "this person is who they say they are" by signing that person's they, then you decrease the odds that the person is a fraud.
> If you don't trust that individual to vouch for others then they are treated differently in your web of trust: set their trust level to "none".
Whom in the world do you actually trust to vouch for everyone else in the world? For me, at least, the answer is 'no-one,' — which is why neither XPKI nor the Web of Trust work for me.
> But it works for many others; it doesn't make it broken.
I suspect that no-one (older than, say, four years old) trusts any other human being or organisation to vouch for every other human being and organisation, and thus that the WoT is in fact broken for everyone — but that most folks just try to ignore that.
I have confidence in certain people that they will follow a given protocol to the best of their ability. They're not vouching for someone: they're indicating the successful completion of a keysigning protocol.
But again: you don't have to trust a single person. As more people sign Alice's key, it's increasingly unlikely that Alice fooled every one of those people.
>The problem with the web of trust is that it simply doesn't work: the fact that I know you means nothing about whether I trust you to vouch for others.
Actually it means a lot. That's how trust works in the real world as well.
The "web of trust" is not about trusting everybody you happen to merely know.
It's, and the name is kind of a hint, about knowing those you trust -- it's a web in that there's higher level trust (people you personally know and trust yourself), secondary trust (people trusted by those you trust), etc.
Point, but I'll refer you to my following sentence: 'The fact that I trust you to vouch for employees of Acme Widgets means nothing about whether I trust you to vouch for members of a political party.'
The Web of Trust assumes that I trust anyone to vouch for everyone (interesting, TLS — itself also a product of 1990s crypto-thinking — makes the same assumption). But I simply don't. I don't trust my nearest & dearest family & friends to vouch for every identity I care about. But I do trust some of them for some identities.
I trust myself to validate possession of any key. I trust my employer to validate possession of keys related to its work, but not keys related to, e.g., my family or my blog. I may trust one of my brothers to validate keys related to his immediate family, and maybe I trust two of my brothers to jointly validate keys related to our family, but I don't trust them for work, or my blog. I may trust my blogging co-admins to validate keys for roles in the blog, but that doesn't mean they get to validate keys for identities at my employer, or validate keys on behalf of my parents or children.
I could use different email addresses for each identity (I-the-employee, I-the-son, I-the-blogger), and have each identity trust only those who are pertinent to it, but that makes PGP more, not less, difficult. And it's certainly not the model that PGP advocates.
TOFU works within a number of contexts. Though not all.
Generally, out-of-band or reference-based (e.g., third-party vouching) of identity.
Web-of-trust is useful but IMO ultimately a tool of limited use, and presents numerous issues with data disclosure, as it is an independent and public validation of social networks. Often who knows who is more critical than who says what to whom.
PGP-over-email unfortunately leaks massive amounts of metadata.
I don't understand. You've verified a Signal key but still felt the need to ask the question With a walled garden like Signal/Wire/etc, how do you get+trust the other's key?
Sorry if my earlier comment came off as rude. I was just trying to say that the walled gardens aren't really that much better than plain old PGP, and in practice they tend to lull people into a false sense of security.
I think too many people are way too trusting of shiny new apps with a pretty UI. If you don't do the extra work of verifying the key, you're effectively letting the service provider act as your one and only CA.
If you can verify a Signal key fingerprint, you can verify a PGP public key fingerprint.
I think a combination of keybase + a useful client can help, but the reasons listed in parent are pretty convincing.