Table of contents
- What is Web of Trust
- Public-key cryptography context
- How Web of Trust works
- Is Web of Trust secure?
- Web of Trust on Android
- Web of Trust in Chrome and other browsers
- Differences between Web of Trust and PKI
- In-depth: Pros and cons of the Web of Trust
- Web of Trust today: a niche for experts?
One of the most critical issues is the authentication of digital identities. While centralized infrastructures like PKIs (Public Key Infrastructures) dominate the scene, there’s a lesser-known yet fascinating alternative: the Web of Trust.
This article offers an in-depth explanation of what it is, how it works, how secure it is, how it’s implemented on browsers and Android, and how it compares to traditional PKIs, with a discussion of its pros and cons.
What is Web of Trust
The Web of Trust (WoT) is a conceptual and technical model that allows users to establish the authenticity of public cryptographic keys without relying on centralized authorities, as done in Public Key Infrastructure (PKI) systems.
Public-key cryptography context
In asymmetric cryptography, each user owns a public key (to share) and a private key (to keep secret). These keys are mathematically linked: a message encrypted with a public key can only be decrypted by the corresponding private key.
The challenge: how do you know a public key belongs to someone?
This is the key authentication problem. PKI solves it with digital certificates issued by Certificate Authorities (CAs). The Web of Trust uses a peer-to-peer trust model instead.
How WoT works
In the Web of Trust, each user can digitally sign another user’s public key. A signature declares: “I verify that this key belongs to this person.”
These signatures are saved in a keyring, a digital key repository containing all trusted keys and their certifications.
Real-world trust network example
Imagine:
- Alice knows Bob personally and signs his public key.
- Carol knows Alice and trusts her judgments.
- Carol may choose to trust Bob’s key because it’s signed by Alice.
This is transitive trust: trust flows across the network.
Example: signing a key with GnuPG
# Let’s assume Bob’s public key is already in your keyring
# List all keys in your keyring
gpg --list-keys
# Sign Bob’s key
gpg --sign-key <BOB_KEY_ID>
# Export the signed key to send it back to Bob or upload it to a keyserver
gpg --export --armor <BOB_KEY_ID> > bob_signed.asc
This command signs Bob’s key and integrates it into your trust network.
Viewing the Web of Trust
You can use tools like pgpdump, gpg –list-sigs, or gpg –edit-key to view who signed a key, or graphical interfaces like Gpg4win (Windows) or OpenKeychain (Android) to visualize your Web of Trust.
How Web of Trust works
In the Web of Trust, each user owns and manages their own public key, which they can share for encrypted communication or digital signature verification. However, this key is not automatically “trusted”: it must be certified, meaning digitally signed by other users.
Digital signatures as cryptographic assertions
When one user signs another’s public key, they are creating a digital signature that acts as a cryptographic statement. It’s essentially saying:
“I, Alice, confirm that this public key belongs to Bob.”
This is a secure and verifiable statement, creating a direct trust relationship between the two.
Key Signing Parties
One common practice in the PGP/GPG community is the Key Signing Party: an event where users meet in person, show their IDs, and exchange their key fingerprints. After identity verification, they return home and sign each other’s public keys using their own systems.
Practical example: transitive trust network
Let’s suppose:
- Alice knows Bob personally and signs his public key after verification.
- Carol knows and trusts Alice and her verification habits.
- Therefore, Carol may choose to trust Bob’s key, because Alice signed it.
This mechanism forms a transitive trust network, where each signature is an edge and each user is a node in a directed graph.
Graph visualization
Alice ---> Bob
\
\
---> Carol
Carol concludes: If I trust Alice, and Alice trusts Bob, I can trust Bob too.
In GnuPG, this structure is managed through the keyring, and users can analyze the trust paths with:
gpg --list-sigs
gpg --edit-key <KEY_ID> # to inspect received signatures
Tools like GPG Keychain Access (macOS) or Gpg4win (Windows) also offer graphical interfaces for managing and viewing the Web of Trust.
Is Web of Trust secure?
The short answer is: yes, but with caveats. The Web of Trust (WoT) can be very secure, but unlike PKI systems, its security is not automatic. It strongly depends on user behavior, careful key verification, and responsible management.
Strengths of Web of Trust security
- Total decentralization
- WoT doesn’t rely on a central Certificate Authority (CA), so there’s no single point of failure.
- Example: if a CA like DigiCert is compromised, thousands of certificates become untrustworthy. In WoT, only directly linked nodes are affected.
- User-level control
- Each user decides individually whom to trust.
- You’re not forced to trust system-defined authorities—you can build your own personalized trust network, ideally with people you’ve met and verified in person.
Weaknesses and risks
- Limited scalability
- Unlike PKI, where millions of certificates are issued automatically, WoT key signing is manual and slow.
- It often requires physical verification (e.g., key signing parties).
- Unverified cross-signatures
- A frequent issue is users signing keys without verifying identities, which undermines trust.
- This can create falsely trusted nodes in the trust network.
- No centralized revocation
- Key revocation depends on the user’s action and isn’t automatically distributed.
- If a user doesn’t revoke a stolen key, others might keep trusting it unknowingly.
How to increase security
To minimize risks and enhance security, you should:
- Use GnuPG with strict practices:
- Always verify key fingerprints.
- Set trust levels only after identity checks.
- Keep your keyring updated.
# Check the fingerprint of a key
gpg --fingerprint <KEY_ID>
# Edit a key to set trust level
gpg --edit-key <KEY_ID>
trust
# Then choose a level (1 = none, 5 = ultimate)
- Use revocation mechanisms:
- Create a revocation certificate as soon as you generate a new key.
gpg --output revoke.asc --gen-revoke <KEY_ID>
- Upload keys only to trusted servers, like keys.openpgp.org, which supports verified email confirmation and revocation.
Web of Trust on Android
Although mobile operating systems tend to favor ease of use, it is entirely possible to integrate the Web of Trust on Android through applications compatible with OpenPGP, the open standard derived from PGP.
The two main apps for WoT on Android
- OpenKeychain
- A free, open-source, ad-free app.
- Allows users to generate, import, sign, revoke, and manage PGP keys.
- It features a clear and secure graphical interface.
- Fully supports key signing, making it a true Web of Trust implementation.
- Can interface with other Android apps via Intent system.
- FairEmail
- A modern, lightweight, privacy-focused email client.
- Supports PGP encryption and signing via direct integration with OpenKeychain.
- Allows you to verify the sender’s identity using your Web of Trust.
What you can do with WoT on Android
Using OpenKeychain and FairEmail, you can:
- Create your own key pair.
- Import other people’s public keys and verify their fingerprints.
- Digitally sign verified public keys to add them to your trust network.
- Send encrypted emails that only your recipients can read.
- Check if an email is signed by a key that belongs to your Web of Trust.
Practical example
- Install OpenKeychain via F-Droid or Play Store.
- Create a new identity → generate your key pair.
- Add a friend’s public key → verify the fingerprint.
- Sign your friend’s key → grow your Web of Trust.
- Open FairEmail, link your PGP identity → send secure emails.
This setup makes Android a fully functional platform for the decentralized trust model of the Web of Trust.

Web of Trust in Chrome and other browsers
Modern browsers like Google Chrome, Mozilla Firefox, and Brave do not natively support the Web of Trust. Instead, they rely on PKI (Public Key Infrastructure) and SSL/TLS certificates issued by central Certification Authorities (CAs) preinstalled in the browser.
Browser limitation: built-in PKI only
When visiting an https:// website, the browser checks the SSL certificate’s validity via a trust chain that leads back to a root CA. This model does not support peer-to-peer signing, the core of the Web of Trust.
How to enable Web of Trust through extensions
Despite this, you can use the Web of Trust for encrypted email communication in your browser by installing extensions that integrate with GnuPG or OpenPGP.
Useful extensions
- Mailvelope
- Available for Chrome, Firefox, Edge.
- Adds OpenPGP encryption to webmail platforms (Gmail, Outlook, Yahoo, etc.).
- Supports key import, signing, verification.
- Uses your local keyring and supports Web of Trust logic for signature validation.
- Enigmail (historically for Thunderbird)
- Though Thunderbird now supports OpenPGP natively, Enigmail was key in bringing GnuPG integrationto the desktop.
- Users could verify keys and manage trust based on WoT principles.
What you can do with Mailvelope
- Import your and your contacts’ PGP keys.
- Verify signatures using your Web of Trust.
- Sign public keys and build trust paths.
- Compose encrypted emails that only recipients can read.
Usage example: sending a signed encrypted email
- Install Mailvelope in Chrome.
- Create or import your OpenPGP key.
- Import your recipient’s public key.
- Sign the key if you trust it (WoT principle).
- In your webmail, click “Compose secure message” (via Mailvelope).
- Write and send → only your recipient can decrypt it with their private key.
While the browser itself doesn’t manage the Web of Trust, extensions like Mailvelope handle it at the application layer.
Differences between Web of Trust and PKI
PKIs (like Let’s Encrypt, DigiCert, etc.) are based on a hierarchical model, where central certification authorities issue and validate digital certificates.
In contrast, Web of Trust is a peer-to-peer system, where trust is distributed horizontally among users.
Feature | Web of Trust | PKI (Public Key Infrastructure) |
Model | Decentralized | Hierarchical |
Main actors | Users who sign each other’s keys | Certification Authorities (CAs) |
Scalability | Limited, manual | High, automated |
Trust management | Individual, user-defined | Centralized |
Key revocation | Manual | Automated via CRL or OCSP |
In-depth: Pros and cons of the Web of Trust
The Web of Trust (WoT) offers a radically decentralized model for building digital trust between users.
Unlike PKI, which relies on central certificate authorities, WoT turns every user into both a node and a validator in the network. This brings meaningful advantages, but also significant limitations that affect its broader adoption.
Advantages of the Web of Trust
1. Decentralization
The biggest strength of WoT is its lack of central authorities. Users don’t need to rely on a third party to confirm key ownership—trust is built bottom-up, directly between individuals.
Example
If Alice signs Bob’s key, it’s a direct, peer-to-peer validation. No single CA compromise can affect the whole system.
2. User autonomy
Users have full control over who they trust and to what extent. You can assign trust levels to signatures you receive (e.g., marginal, full) and decide to trust only people you’ve verified personally.
With GnuPG:
gpg --edit-key <KEY_ID>
trust
# Choose: 1 = No trust, 5 = Ultimate trust
3. Transparency
Each signature is visible and cryptographically verifiable. This allows users to inspect trust chains and determine how a key was validated.
Example:
gpg --list-sigs <KEY_ID>
This command shows who signed a key and allows you to assess whether the trust path is valid.
Disadvantages of the Web of Trust
1. Steep learning curve
WoT is not user-friendly for non-technical audiences. To use it properly, you need to understand:
- public key cryptography;
- keyring management;
- the difference between signing and encrypting;
- fingerprint validation procedures.
Training is essential to make WoT accessible to broader audiences.
2. Manual trust management
Building and maintaining a trust network takes time and personal interaction. Signing keys can’t be safely automated—you need to verify identities, fingerprints, often in person.
Example: Signing a key takes more effort than getting a free SSL certificate from Let’s Encrypt.
3. Limited mainstream support
WoT is not natively supported by major operating systems or browsers. They rely on centrally issued CA certificates.
Result: Apps must implement WoT support manually via plugins or third-party tools (e.g., GnuPG, Mailvelope, OpenKeychain).
Web of Trust today: a niche for experts?
Despite its theoretical advantages, the Web of Trust (WoT) has never truly gained traction among the general public. Its adoption remains largely confined to technical communities like hackers, privacy activists, and some cyber security professionals.
Several key factors explain this limited reach.
Why hasn’t Web of Trust gone mainstream?
- High technical complexity
- Understanding and using WoT requires advanced skills: key management, signature verification, GnuPG usage, analyzing trust chains.
- For the average user, this is too cumbersome compared to just seeing a “green padlock” in a browser.
- Competition from modern PKIs
- Services like Let’s Encrypt have made it easy, free, and automated to get SSL/TLS certificates.
- This lowered the barrier to entry and helped PKI become the default trust model online.
- Lack of mainstream software support
- Most browsers, operating systems, and mobile apps do not implement WoT natively.
- This severely limits its visibility and accessibility.
But Web of Trust is not dead
In technical circles, WoT still thrives. Among cryptographers, security researchers, activists, and open-source developers, the Web of Trust remains a viable, ethical, and decentralized alternative.
A conscious choice
Using WoT today is a statement of intent: it means you want to keep control over your digital relationships, without outsourcing trust to third parties. It’s a conscious choice, not a default setting.
“Trust, but verify… yourself.”
In a world where trust is increasingly automated, the Web of Trust is a return to trust as a human relationship, based on personal verification.
Questions and answers
- What is Web of Trust?
A decentralized trust model where users sign each other’s cryptographic keys. - How is it different from PKI?
PKI is hierarchical and centralized; WoT is peer-to-peer and distributed. - Is Web of Trust secure?
Yes, if it’s used properly with strong key verification practices. - Can I use it on Android?
Yes, via apps like OpenKeychain or email clients with PGP support. - Is there a Chrome version?
Not natively, but extensions like Mailvelope support WoT-like encryption. - Is Web of Trust still used today?
Yes, especially by advanced users and privacy-conscious communities. - How does signing a key work?
A user digitally signs another’s public key to vouch for its authenticity. - Can keys be revoked in WoT?
Yes, but the process is manual and must be done carefully. - Is WoT suitable for businesses?
Not easily—PKI is more scalable and manageable in corporate environments. - What tools can I use to start?
GnuPG, OpenKeychain, Mailvelope, and Thunderbird are great starting points.