Exporting/Importing One by one:
A correspondent's key is validated by
personally checking his key's
fingerprint and then signing his
public key with your private key. By
personally checking the fingerprint
you can be sure that the key really
does belong to him, and since you have
signed they key, you can be sure to
detect any tampering with it in the
future. Unfortunately, this procedure
is awkward when either you must
validate a large number of keys or
communicate with people whom you do
not know personally. GnuPG addresses this problem with a mechanism popularly known as > the web of trust.
By Web Of Trust:
In the web of trust model,
responsibility for validating public
keys is delegated to people you trust.
For example, suppose
- Alice has signed Blake's key, and
- Blake has signed Chloe's key and Dharma's key.
If Alice trusts Blake to properly
validate keys that he signs, then
Alice can infer that Chloe's and
Dharma's keys are valid without having
to personally check them. She simply
uses her validated copy of Blake's
public key to check that Blake's
signatures on Chloe's and Dharma's are
good. In general, assuming that Alice
fully trusts everybody to properly
validate keys they sign, then any key
signed by a valid key is also
considered valid. The root is Alice's
key, which is axiomatically assumed to
be valid.