What are the three trust models for verifying public keys, and what are their trade-offs?
Direct trust, Web of Trust, Hierarchical (PKI) trust — they differ in who you have to trust and how the trust scales.
| Model | How trust is established | Pros | Cons | Used by |
|---|---|---|---|---|
| Direct Trust | Verify the public key directly (out-of-band: in person, fingerprint check, pre-installed) | Highest assurance per individual key | Doesn't scale beyond a small group | SSH host keys, Tor onion services |
| Web of Trust (WoT) | Each user signs others' keys; trust is transitive ("Alice trusts Bob's signing → Alice indirectly trusts Charlie whose key Bob signed") | Decentralised, no central authority to corrupt | Hard for new users to bootstrap; trust graphs are complex; not user-friendly | PGP / GPG (key-signing parties) |
| Hierarchical Trust (PKI) | Trust a small set of Root Certificate Authorities; everything they (and their intermediates) sign is trusted | Scales to billions of users; user-invisible | All eggs in the CA basket — if a CA is compromised or malicious, the whole system suffers | TLS/HTTPS, S/MIME, code signing |
Direct trust in practice: browsers ship with hard-coded Google/Microsoft/Apple service certificates. Apps and VPN clients embed their server's expected public key (certificate pinning). You verify your bank's PGP key fingerprint in a printed brochure.
Web of Trust caveats: PGP's WoT theoretically works but in practice is dead — nobody runs key-signing parties anymore. Modern replacements like Keybase and Keyoxide use proof-of-identity from social accounts to bootstrap trust without WoT.
Hierarchical PKI's main weakness: there are ~150 trusted root CAs in the typical browser's store. A single compromised or rogue CA can mint a cert for any domain. Notable disasters: DigiNotar (2011) issued fake *.google.com certs (used to spy on ~300,000 Iranian users); Symantec (2017) lost browser trust over years of mis-issuance.
Mitigation: Certificate Transparency (CT) logs publish every cert ever issued so domain owners can detect rogue issuance. CAA records in DNS limit which CAs may issue for a domain.
Tip: Modern internet uses hierarchical PKI for most things, with certificate pinning layered on top for high-value targets (banking apps, OS update servers) and CT monitoring to catch CA failures after the fact.