Next: Getting PGPThere are two ways that keys could be distributed. One way is to have a central clearinghouse that will be responsible for the authenticity of all keys that it has. When you create a key, you give it to this clearinghouse, convince them that it is genuine, and then they distribute it to whomever wants it. This is how RIPEM works.
PGP doesn't do this. Its that Cental Authority part that PGP users don't like. ;^) Instead, there is something called a Web of Trust. The easiest way to explain is by example. John creates his key pair and wants to distribute his public key so that anyone can send him email. The first thing he does after he's made the key available is walk down the hall to Sue's office to get her to sign it. She adds the key to her public keyring, verifies with John that it really is his key, and she signs it. The easiest way to verify the key is to compare its fingerprint. John then takes a copy of his key with her signature and makes that version of his public key available. Now anyone who gets his public key will find Sue's signature attached to it. So if Bill gets the key and doesn't know John but does know Sue, he can use the key confidently because he can verify Sue's signature. Sue is guaranteeing John's key.
So for instance, here is my PGP public key.. It is 896bits in size, and has 8 signatures on it. Here is my friend Tom's PGP public key.. It is 1024 bits in size, but he doesn't have any signatures on it. Thats why its much smaller.
Brian LaMacchia maintains a public key server at MIT. Once you have created your public key, you should put your key on that server. Whenever you need someone's public key, get it from this server. As of June 2, 1997, there are over 42,000 public keys on this server. It is located at
Next: Getting PGP
Previous: Digital Signatures
Back to beginning