Strengthening the web of Trust @ the Mozilla Summit 2010

Ludovic Hirlimann

I’ve asked for a Breakout Session at Whistler for this – I didn’t get an answer yet, but as I need to get things on the grounds, so I’ll post this anyway, so people can prepare themselves and if we don’t get a room we can do it more informally

What ?

From the wikipedia article :
Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy of such). As with computer networks, there are many independent webs of trust, and any user (through their identity certificate) can be a part of, and a link between, multiple webs.

The web of trust is in other word , you as an individual, telling the world that you trust someone else and that you’ve tried to verify that person’s identity to your best. And publishing that information so other will have access to it.

Why ?

Having a large group of people gathering from all other the world is the perfect occasion to build a good and very decentralized web of trust ( how often will you have a chance to meet someone from say Africa when you’re living in say Northen Europe at the same time you meet a north American citizen). So meeting plenty of people is good makes the chance of meeting people who care bigger.

How ?

As said above there are plenty of ways to build web of trusts – I’m organizing signing parties for the ones I use : PGP and CACert.
You’ll need to prepare a few things if you want to join our signing event and That’s why I’m posting this now, to give you the time to read documentation and prepare the paperwork that is necessary for the signings to go smoothly. As a side note I always find it very amusing that the web of trust is something very digital that requires a lot of pen/paper work. You can participate to both web of trusts of course, but for organizational reasons, I’ll split the how and what you need to prepare in two.


CACert provides certificates that can be used to either sign/encrypt emails, software, or setup a SSL protected webserver.
To participate you’ll need an account on, two valid government issued ID (one is enough but two is better – most of you will have a passport so it’s just about bringing another ID (like a drivers licence etc ..)). Bringing a few filled in and printed CAcert Assurance Programme
Identity Verification Form
(CAP) will help things go smoothly. The CAPs can be found pre-filled when you have an account.
Recap :

  1. An account on
  2. At least one Governement issue ID (two is better)
  3. A bunch of prefilled CAcert Assurance Programme
    Identity Verification Form (CAP).

Note I am a CACert assurer, I’m looking for other CAcert assurers (get in touch with me, to let me know you want to be an assurer there ).


OpenPG offers digital signing for software and email. And Also offers email encryption. To be able to participate you’ll need to install a OPenPG compatible manager an create a key. Make sure to publish your public key (this will make things easier for the signing part). And we’ll use the informal method signing method, so be sure to bring a good number of printed fingerprints to exchange with others.


  1. Have a published PGP key
  2. Valid ID(s)
  3. Printout of your PGP fingerprint to hand out to other participants

If you have questions send me an email