A classic problem in security in distributed systems is that of how to
distribute the keys. In traditional world without computers and
networks, it is done <#806#> out-of-band<#806#>, by meeting, letter, phone call
etc. In networks now, we usually have a two level system of trusted
servers (e.g. the X.500 Directory server, or even a secure subset of
World Wide Web servers has been suggested). These can hold public keys
publicly, and private keys for individuals with access control
appropriately set.
More recently, as networks have merged into the Internet spanning all
countries and walks of life, a fully distributed trust model has also
emerged, and is displayed in PGP (Pretty Good Privacy). Here, instead
of a hierarchy of agency approved trusted key managers, certified
with the authority of governments, individuals form a web of trust, by
listing those they trust to introduce them to others, and vouch for
the authenticity of a public key. This has social advantages, but
suffers from one potential disadvantage, which is that the revocation
of a key can be difficult to archive globally.
The interesting thing about the PGP model of distributed trust is that
it is more open, and at the same time can be made more inherently secure,
than a system where an arbitrary central authority delegates trust.