| ▲ | dale_glass 16 hours ago | |||||||
> As a practical implementation of "six degrees of Kevin Bacon", you could get an organic trust chain to random people. GPG is terrible at that. 0. Alice's GPG trusts Alice's key tautologically. 1. Alice's GPG can trust Bob's key because it can see Alice's signature. 2. Alice's GPG can trust Carol's key because Alice has Bob's key, and Carol's key is signed by Bob. After that, things break. GPG has no tools for finding longer paths like Alice -> Bob -> ??? -> signature on some .tar.gz. I'm in the "strong set", I can find a path to damn near anything, but only with a lot of effort. The good way used to be using the path finder, some random website maintained by some random guy that disappeared years ago. The bad way is downloading a .tar.gz, checking the signature, fetching the key, then fetching every key that signed in, in the hopes somebody you know signed one of those, and so on. And GPG is terrible at dealing with that, it hates having tens of thousands of keys in your keyring from such experiments. GPG never grew into the modern era. It was made for persons who mostly know each other directly. Addressing the problem of finding a way to verify the keys of random free software developers isn't something it ever did well. | ||||||||
| ▲ | tptacek 16 hours ago | parent [-] | |||||||
What's funny about this is that the whole idea of the "web of trust" was (and, as you demonstrate, is) literally PGP punting on this problem. That's how they talked about it at the time, in the 90s, when the concept was introduced! But now the precise mechanics of that punt have become a critically important PGP feature. | ||||||||
| ||||||||