In an E2EE system, how does Alice know what Bob's public key is?

Reply to In an E2EE system, how does Alice know what Bob's public key is? on Wed, 08 Apr 2026 17:06:06 GMT

zoarial94@infosec.exchange — Wed, 08 Apr 2026 17:06:06 GMT

@ghosttie @dacmot I think you need a second communication channel. And something to corroborate that multiple channels are controlled by the same person. The most surefire way is to meet in person and confirm the keys. I don't think there's a purely technical way to solve this without putting trust into some central authority. It's inherently a social problem.

Reply to In an E2EE system, how does Alice know what Bob's public key is? on Wed, 08 Apr 2026 17:04:49 GMT

dacmot@sunny.garden — Wed, 08 Apr 2026 17:04:49 GMT

@ghosttie one way would be to meet in person.

In a system like Signal, it would be built in to the user ID. For things like PGP/GPG, websites, or developer signing key, there are multiple mechanisms to verify the key identity. You can use a web of trust (WOT) or keyrings, certificate authorities like DigiCert/Let's Encrypt, or MS/Google/Apple issuing signing keys.

Note that none of those methods are perfect, and a bad actor could still manage to impersonate someone else. But it makes it significantly harder.

Reply to In an E2EE system, how does Alice know what Bob's public key is? on Wed, 08 Apr 2026 16:54:39 GMT

ghosttie@mastodon.gamedev.place — Wed, 08 Apr 2026 16:54:39 GMT

@dacmot how does Alice know that's Bob's actual public key and not Mallory's?

Reply to In an E2EE system, how does Alice know what Bob's public key is? on Wed, 08 Apr 2026 16:53:25 GMT

dacmot@sunny.garden — Wed, 08 Apr 2026 16:53:25 GMT

@ghosttie it's public, so either Bob can send it to Alice, or if it's part of a system like Signal, then the public key is part (maybe hidden /abstracted) of the user profile data.