> I think it matters if you want to call it a WoT. But also, I don't think any signatures originating from these keys are being verified usefully at any meaningful scale.

Web of trust is a web of mutually trusting keys, not a network of servers. That web can be verified on any computer as in the blog post by kron I linked earlier, and it is verified for every package install in our soon-to-be published sxctl tool we will be presenting at some conferences next month.

> I think it has marginal security value, maybe net-negative if you balance it with the fact that cryptographers and cryptographic engineers have to waste time arguing against using PGP.

So again, are you really saying all the maintainers of most services running the internet should stop using the only IETF standard built for human-identity-bound signing with keys held by those humans?

The alternative everyone seems to be suggesting with a straight face is login with github or google and let them sign for you with "keyless signing"? That is the only alternative that is gaining adoption, and it is a ridiculous downgrade. I consider it mostly security theater.

The whole point of humans holding their own signing keys locally is to be able to make it not matter if your centralized online accounts are taken over. Something that is usually easy to do because no one uses hardware 2FA or renews their personal email domains.

But, if they did use hardware 2FA, hey look they have a local signing key... why not just... sign the binaries with that hardware directly instead of using that to login and let someone else sign for you. And then if you are going to do that, you don't want to be impersonated, so why not publish those public keys, and have other maintainers sign them. And now we have re-invented the web of trust.