PGP is known for its decentralized key management strategy. The users of PGP generate and distribute their own public key. They can sign one another's public keys, thereby adding extra confidence to the key's validity. For example, Alice can tell PGP to trust Trent as an introducer. Whenever Alice sees a public key signed by Trent she (and the PGP program) will trust the validity of this public key.
Alice can even tell PGP she trusts e.g. Bob and John only marginally as introducers. If she receives a new public key and sees only Bobs signature on it, PGP may choose not to trust this key. But if both Bob and John has signed the new key, PGP will accept it.
Although PGP was designed not to depend Key Certificate Authorities (KCA), it will work with KCA's without modifications to the PGP program. A KCA is just a ``person'' which everyone trust as an introducer. An organization can easily set up an KCA. An KCA should have a strictly defined security police, see for example [8]. For more information on PGP key handling please refer to the PGP user manuals [9] and [10].