| Security Education Companion Skip to main content
 
Security Education Companion
A free resource for digital security educators

Public key servers

If you plan to send a secure message to someone who uses public key cryptography like PGP, you need to know what key to use to encrypt your message. Public key servers act as a phonebook for such keys, allowing software to use an email address, name, or key fingerprint to search for a full key and download it. There are many PGP public key servers, but they usually share their key collections with each other. Keyservers can't verify whether the keys they publish are genuine or forgeries. Anyone can upload a key to a public key server—in anyone's name. That means that a key connected to a person's name or email on a keyserver might not be their real key. In order to check the authenticity of a key, you need to check its signatures, or confirm its fingerprint with the original user in a trustworthy way.

PGP allows you to sign other people's keys, which is a way of using your own key to assert that a certain key is the right one to use to contact another person. This is meant to provide a way of distinguishing between genuine and fake keys; if people sign the right keys for people they know and communicate with, others can use those signatures to confirm that the genuine keys are genuine. When you download a key from a key server, it may include signatures from other people who affirm that it's the right one. If you know those people and know that you have the right key for them, you can have more confidence in the newly downloaded key. This verification process is also called the web of trust. Its advantage is that it's decentralized and not controlled by any authority, so you don't have to believe a certain company or government about which keys to use when writing to new people. Instead, you can believe your own social networks. One important disadvantage of the web of trust is that publishing signatures for other people's keys tells the whole world who your contacts are; it creates public evidence that you know particular people. Also, using the web of trust correctly requires a good deal of  time and attention, and some communities rarely or never participate.