An informal mechanism for determining the validity of public keys, especially for PGP users. Users posting new public keys have someone they know who has a public/private key pair sign the new key. Once the signer verifies the identity of the person with the new key (for example, by seeing them in person or by voice recognition on the phone), the signer verifies that the new key is genuine.

Before signing it, the signer makes sure that the key contains the correct key fingerprint (actual code). After signing, the signed key is posted to key servers. Anyone who trusts the signer to follow proper identification procedures can decide to trust all the keys signed by that person. To extend the web of trust, users must decide to trust all the people whose keys have been signed by others whose keys they trust (their keys signed by trusted signers). This system contrasts with formal public key cryptosystems, because there are no central or hierarchical signing authorities. See PKI and PGP.