now is the time to forget the whimpering child, become the warrior
7.7.1. The Web of Trust
In the Web of Trust model, responsibility for key validation is delegated to other people you trust. The trust is expressed in signing other people's public keys. For instance, Alice would use her key 0xAAAAAAAA to sign Bob's public key 0xBBBBBBBB to certify that particular public key belonging to the individual called Bob. Bob has signed Carol's public key 0xCCCCCCCC. From this, Alice can infer that Carol's public key is valid (i.e. public key 0xCCCCCCCC purports to the individual called Carol) because there is a path of valid signatures from her public key to Carol's.
The View → Signatures menu item in Key Management, or the View Signatures button in Key Properties, allow you to view the signatures attached on a key i.e. by whom this key has been signed.
Participation to the Web of Trust is completely voluntary: you do not need to sign other people's keys to successfully use GnuPG or Enigmail. To participate, when you receive a public key and have verified both its fingerprint and the identity of the key owner (either because you know him/her or by means of a ID card, passport, driving license...), you sign the key to endorse the ownership of that public key to that person.
You can sign a key by selecting it and choosing Edit → Sign Key from Key Management, or by clicking the Sign Key button from Key Properties. A window will pop up, asking you how carefully have you verified the identity of the key owner. Choose an answer and click on OK. Your signature will then be attached to that public key; if the key was already signed by other people, your signature will be added to the list. When a key is exported, the list of signatures is exported with it.
Once you have signed a public key, you should return it (for instance in a signed email message) to the owner so he can redistribute it and upload it again on a keyserver.
Note that you can upload your public keyring to a keyserver by the means of the menu command Keyserver → Upload Public Keys, but this is not considered good PGP netiquette: only the owner of a key pair should upload his public key.
In many cases you will want to perform a local signature only to mark keys on your keyring as valid, without having them checked carefully. This is done by ticking the option Local signature (cannot be exported) in the Sign Key window.
In fact, you should only sign keys as non-local (exportable) if you have carefully checked the identity of the owner and the ownership of the key, as already said, and that you intend to send the key back to the owner once you have signed it.