For instance, if I say I trust my mother totally, and if you trust me totally, you will trust my mother very much. Most likely, though, you will not trust her totally, until she has proven her trustworthiness to you. This is not a bad thing, it is just human nature.
The same thing applies to the web of trust which is being built with GPG and PGP. It is applied a little differently, though. The statement about trust is no longer ''I trust my mother completely.'' The statement is now ''I trust my mother to only sign keys which she is absolutely positive belong to people who claim to own them.'' As a specific example, the statement might now become ''I trust my mother has verified that this key which she has signed actually did come from her mother.''
This seems like a bit of an odd statement to make, I'm sure. However, if somebody wished to pose as my grandmother for some reason, then they would only have to create a public key and claim it belonged to my grandmother. Later, I would receive two public keys with my grandmother's name on them. Without these signatures, I can't be sure which one is actually hers.
If we alter the scenario slightly, though, I would receive two keys with my grandmother's name on them. One of them has been signed by my mother, and the other has been signed by John Smith (a person whom I don't know). Using the web of trust which has already been built up, I can safely discard the key signed by John Smith, and accept the key signed by my mother, because I know that my mother only signs keys which she has already verified.
Of course, this results in an issue of how to get started. If you have no public keys which you can trust, how can you verify identities? Remember that each and every public key has a unique fingerprint. Start with the people whom you already know personally and have the phone numbers for. Have them email their public key to you, and then call them up and verify their fingerprints. Sign their public keys, and email their signed public keys back to them (We'll show you how to do this later on in this HOWTO). Have them do the same for you. If enough people sign these public keys, then trust begins working like a web. You know somebody who knows somebody who knows somebody who knows the person you're trying to communicate with. And if you trust the first person to verify identities, and they trust the second person to do the same, on down the line, you wind up with a situation where you are sure you're speaking to the correct person, even though you may never have seen the person, or spoken on the phone.
Remember this about trust: You are not claiming to trust the person to tell the truth. You are claiming to trust the person to verify the identity of the owners of the keys they sign. Whenever you are asked about trusting a key, the question you are being asked is ''How much do you trust the owner of this key to actually verify the identities of other key owners?''