PGP Web of Trust for all its faults and early design facepalms (of which there are many) is the only proof-of-human system where humans meet humans and sign each others keys that we ever built before AI. No one can reasonably expect any recently created keys were not created by made up LLM identities unless signed into the web of trust by well published existing keys held by well known and trusted humans.
But even if you don't want to look at the Web of Trust you can prove the key I sign stagex releases with is mine via all sorts of other ways thanks to keyoxide: https://keyoxide.org/E90A401336C8AAA9
Also PGP specs supports modern crypto now, attestation via dns, and even hackernews. You can attest my PGP key is tied to my HN profile right now. I would agree -gpg- is dead, with no real reason to use it anymore now that we have modern rust tooling with modern crypto.
But! If someone wants to generate an ssh key on a smartcard or something and sign with that instead, we would absolutely consider it. Not married to supporting only a single spec, but we absolutely need human beings to hold their own private keys on smartcards which are themselves attested by other human held private keys and the online services shared by the same identities.
(And this is before a more brute statistical argument: even at its greatest extent, the PGP ecosystem was minuscule[1].)
But regardless of tooling, it is about the keys and who holds them and who they endorse. It does not really matter how keys are distributed. It matters that keys signed other keys and that we have a way of downloading them and verifying that.
We cache a copy of all 5444 keys in the web of trust of stagex maintainers in our keys repo and you can draw a line from our keys to the keys that signed commits to the linux kernel today. These also sync and update from a dozen SKS keyservers that are still online for anyone that wants to build a key directory as we did.
Though SKS is being rapidly replaced with WKD where every domain hosts their own keys and they are automatically discovered.
Are you really going to say this has no trust or security value?
We should all just stop and let Github sign everything for us even though they don't full source bootstrap anything or sign commits or use deterministic builds?
What is the outcome you are actually arguing for here.
I think it matters if you want to call it a WoT. But also, I don't think any signatures originating from these keys are being verified usefully at any meaningful scale.
> Are you really going to say this has no trust or security value?
I think it has marginal security value, maybe net-negative if you balance it with the fact that cryptographers and cryptographic engineers have to waste time arguing against using PGP.
> What is the outcome you are actually arguing for here.
I like binary transparency. I also think identity-based signing is significantly more ergonomic, and has seen more adoption in the last 4 years than PGP has in the last 35. And I think this is actually a stunning indictment, because I'd say that identity-based signing schemes like Sigstore are still running behind my expectations.