About the Web of Trust

A weak point of the Public key algorithms is the spreading of the public codes. A user could bring a public code with false user ID in circulation. If with this particular code messages are made, the intruder can decode and read the messages. If it passes it on then still with a genuine public code coded to the actual recipient, this attack is not noticeable.

The PGP solution (and because of that automatically the GnuPG solution) exists in signing codes. A public key can be signed by other people. This signature acknowledges that the key used by the UID (User Identification) actually belongs to the person it claims to be. It is then up to the user of GnuPG how far the trust in the signature goes. One can consider a key as trustworthy when one trusts the sender of the key and one knows for sure that the key really belongs to the person. Only when you can trust the key of the signer, you can trust the signature. To be absolutely postive that the key is correct one has to compare the finger print over reliable channels before giving absolute trust.