Introduction

Integrity on the Internet is a genuine issue. With the most common protocols such as HTTP and SMTP, it is incredibly hard to assure the identity of a transaction source or destination. For these reasons, SSL tries to increase the authenticity of messages using cryptography. But this is not enough - when you have a cryptographic channel, you can assure that the data transferred between two endpoints has not been tampered with, but you still do not have the ability to assure that the sender or receiver are who they claim they are. Enter PKI - a public key infrastructure - which allows people to make themselves known by a digital cryptographic signature using their key.

Such a key is not really valuable unless it is proven to be owned by a {person, website, mailserver, generic_object} by means of signatures and assurances. If several, or even many, people have seen proof of identity of the person owning the key (for example because the owner appeared before them in person, and showed a government issued identity card or passport or drivers' license), they may sign that person's key.

One way of creating such a Web Of Trust is to offer what is called key signing parties, where people come together and show each other their true identity (by means of passport, birth certificate, drivers' license, or something else that is convincing) and then ask their peer to sign their key.

Two things will be done at OSD 2010:

  1. CAcert assurance
  2. PGP key signing
Both are quite similar, and aim to prove that the holder of a crypto key are who they say they are, and publicizing that proof by setting digital signatures on that crypto key - this grows the web of trust!