LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three trust models for verifying public keys, and what are their trade-offs?

Direct trust, Web of Trust, Hierarchical (PKI) trust — they differ in who you have to trust and how the trust scales.

Model How trust is established Pros Cons Used by
Direct Trust Verify the public key directly (out-of-band: in person, fingerprint check, pre-installed) Highest assurance per individual key Doesn't scale beyond a small group SSH host keys, Tor onion services
Web of Trust (WoT) Each user signs others' keys; trust is transitive ("Alice trusts Bob's signing → Alice indirectly trusts Charlie whose key Bob signed") Decentralised, no central authority to corrupt Hard for new users to bootstrap; trust graphs are complex; not user-friendly PGP / GPG (key-signing parties)
Hierarchical Trust (PKI) Trust a small set of Root Certificate Authorities; everything they (and their intermediates) sign is trusted Scales to billions of users; user-invisible All eggs in the CA basket — if a CA is compromised or malicious, the whole system suffers TLS/HTTPS, S/MIME, code signing

Direct trust in practice: browsers ship with hard-coded Google/Microsoft/Apple service certificates. Apps and VPN clients embed their server's expected public key (certificate pinning). You verify your bank's PGP key fingerprint in a printed brochure.

Web of Trust caveats: PGP's WoT theoretically works but in practice is dead — nobody runs key-signing parties anymore. Modern replacements like Keybase and Keyoxide use proof-of-identity from social accounts to bootstrap trust without WoT.

Hierarchical PKI's main weakness: there are ~150 trusted root CAs in the typical browser's store. A single compromised or rogue CA can mint a cert for any domain. Notable disasters: DigiNotar (2011) issued fake *.google.com certs (used to spy on ~300,000 Iranian users); Symantec (2017) lost browser trust over years of mis-issuance.

Mitigation: Certificate Transparency (CT) logs publish every cert ever issued so domain owners can detect rogue issuance. CAA records in DNS limit which CAs may issue for a domain.

Tip: Modern internet uses hierarchical PKI for most things, with certificate pinning layered on top for high-value targets (banking apps, OS update servers) and CT monitoring to catch CA failures after the fact.

From Quiz: ISF / Asymmetric Cryptography | Updated: Jul 14, 2026