Communications Cryptography and Key Signing

I have recently become interested in the encryption and authentication of messages. Several months ago, I started reading up on PGP and its open source implementation GPG. Basically, this is a technology that allows only the intended recipient to read a message. It also allows for the authentication of the sender.

This authentication and encryption is accomplished via public-key cryptography. Basically, each person has two keys: one public and the other private. The public key is given to anyone for verification of a cryptographic signature, or to enable him to send the owner an encrypted message. The private key is used by its owner to sign outgoing messages, and to decrypt incoming messages; it is never disclosed.

The preceding is a very simplified explanation, but should provide a basic idea of what is going on. There does come a small problem: how can you know that the public key you have for a someone is really owned by that person? This is where key signing comes in. One solution to this problem is to meet in person and exchange keys, but it would be a pain to meet each and every person with whom you wanted to communicate. Therefore, when you meet in person and exchange keys, you also sign the key of the person you met to inform people who trust your key that these new keys actually belong to their apparent owners.

A web of trust is created by many people signing each other's keys. In general, the fewer hops in this web between your own key and and other key indicates how much you can trust the authenticity of that other key.

Anyway, I have not yet attended a key signing party. I was pleased to find out that the ACM at Rensselaer is going have such a key signing party on March 24, 2008. Hopefully there will be quite a few people there so as to greatly increase the size of this "web of trust."