GPG is pervasive for the same reason git is pervasive: network effects. There are plenty of better alternatives.

Such as? I need an alternative which supports commutative trust relationships of some sort which are revocable.

adastra22 3 days ago | parent | next [-]

You (knowingly?) picked the one counter example, lol. Web of trust is the one application of PGP/GPG for which there isn’t a product ready replacement tool to point towards. GPG is built around web of trust, but this is generally believed to have been a very, very bad idea and the source of innumerable security problems for nearly every application that has tried to make use of it. The GPG replacements I would point to are purpose-built for specific domains and eschew web of trust:

https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/

That said, you might find what you are looking for in the Rebooting Web of Trust project, and the various decentralized identity (DID) implementations that have come out of it:

https://www.weboftrust.info/

▲

XorNot 2 days ago | parent [-]

No I picked the case I'm dealing with most commonly: which is establishing trust. X509 certs will also do this.

I have numerous criticisms of the GPG system but it's not a solution to just not implement any solution at all: I.e. I need revocation lists, I need intermediate keys, I need the ability to establish alternate chains of trust or promote a chain to trusted. Some of this is very hard to do with x509 even or not will supported.

	▲	adastra22 2 days ago \| parent [-]
		Trust meaning who you should do business with? Whose advice you should take? Rather than “trust” you mean something very specific: whether a key was issued by an entity, or attested to from a set of authorities. The “web of trust” model that PGP/GPG supports is not the ideal means of implementing this.

▲

C4K3 4 days ago | parent | prev [-]

Keybase or any of the tools inspired by keybase (foks.pub etc)

	▲	adastra22 3 days ago \| parent [-]
		Isn’t keybase to GPG what github is to git?