PGP - Pretty Good Privacy
PGP, or Pretty Good Privacy, is a PKI system which is easier to use and setup than the corporate PKI model, but it is also less robust when it comes to issues like authentication and trust. In the PGP PKI there are no certificates, CA's, or strong authentication. The benefits of PGP is that it is very easy for a single users to set up and use and still provides users with the best encryption scheme availiable. PGP was primarily designed to secure e-mail and all users to digitally sign documents. PGP is probably the most common PKI due to its ease to implement and the fact that there is not explicit infrastructre to maintain.
Since PGP is a PKI, PGP uses public key cryptograpgy and provides a method of exchanging public keys. To use PGP a one would download the program from a site like The MIT PGP Distribution Site. Once the program is downloaded the user will create thier own public and private key. The only other item that the user has to deal with is his/her keyring.
The keyring is a document that is signed by the owner's private key. Besides having the owners digital signature, the keyring also contains keys over other PGP users. The keys of other PGP users are simpely the public keys of another PGP user. When a PGP user adds another users key to his/her ring the user is alos adding that persons entire keyring to his/her keyring. When adding a keyring the user can assign different levels of trust to that keyring. These levels of trust are, completelly trusted, marinally trusted, untrusted, and unknown. The level of trust has more to do with trusting the owners integrity rather than trusting the validity of the actual key. Users sign thier keyrings with thier own private key, the level of trust attribute really means completely trust every key on a key ring signed by this persons key, or marginally trust every key on the keyring signed by this person. Thus, if I give your key the completely trusted attribute, I will actually be completely trusting you and everyone that you completely trust on your keyring. This is known as a web of trust as users trust entire groups of users at a time rather than just a single user.
The PGP PKI each user is effectivly thier own root CA with full authority on who is trusted by the user. The users public key, with keyring included, could also be considered that user's certificate. The benefits of PGP is that one only needs to download the PGP program and that person can begin exchanging public keys and encrypting messages singed with public keys. The only infrastructe needed is e-mail so keyrings can be exchanged. No central authority ever needs to be established or maintained for PGP to be effective. Furthermore, the full benefits of public key cryptography are used. Users may send encrypted messages across the web and users can also digitally sign documents.
PGP does have some short comings. The web of trust method forces users to trust someone's entire keyring even if the user only really trusts a the owner of the keyring. For example, if I trust you completely, but I don't want to trust anyone else that you trust in your web (keyring), I am stuck. By trusting you I also trust everone in your web and by trusting no one in your web I can't trust you. Another problem with PGP is if one user is fooled into believing someone else's identity any other user will also be fooled into believing that person's identity by trusting the keyring of the user who was originally fooled. For these reason PGP is not used for applications that require strong authentification such as electronic commerce.
To conclude, PGP provides the average user, basically all users who won't be conducting electornic commerce, with all the encryption features necessary to send electronic messages and sign documents.
To go back to main page click here or to proceed to the page describing PKI, click here
Send your comments and sugestions to