> PGP key signing parties were pretty much there, they just came too early (and not enough work was done to teach the masses about them).
I won't dispute that PGP key signing parties coupled with government ID work very well for certain very specific usecases such as validating distro maintainers.
However for more mainstream and widespread uses that never occurred, what about work on the tooling? I've yet to see a web of trust implementation that really felt like it was properly generalized, scalable, and intuitive to interact with.
Case in point, if you wanted to implement a distributed code auditing solution on top of git and signed commits, what library would you use for the web of trust graph calculations? And would key signing parties be a usable root of trust for that with the current state of the software ecosystem? My personal view is that both of those things are woefully lacking.
I'd agree that they're both woefully lacking, but there's nothing fundamental preventing them from being successful, it just hasn't been done yet because our existing institutions are not yet degraded to the point where that juice is worth the squeeze.
Biometrics, on the other hand, are flawed for in a much more fundamental way.
I won't dispute that PGP key signing parties coupled with government ID work very well for certain very specific usecases such as validating distro maintainers.
However for more mainstream and widespread uses that never occurred, what about work on the tooling? I've yet to see a web of trust implementation that really felt like it was properly generalized, scalable, and intuitive to interact with.
Case in point, if you wanted to implement a distributed code auditing solution on top of git and signed commits, what library would you use for the web of trust graph calculations? And would key signing parties be a usable root of trust for that with the current state of the software ecosystem? My personal view is that both of those things are woefully lacking.