Managing the WoT with GPG

Neal H. Walfield neal at
Mon Jun 26 11:53:16 CEST 2017

At Mon, 26 Jun 2017 11:27:30 +0200,
martin f krafft wrote:
> > Martin, I think --no-auto-check-trustdb and a cron job will
> > already make it much more bearable, with the current state of
> > things. That's what I'd suggest.
> I've been doing that for a long time already, and yes, it mitigates
> the issue a little bit. I still think that the interface doesn't
> exactly invite people to invest time into the WoT, which directly
> translates into lesser quality.

I disagree that this is the bottleneck.  Two very strong arguments
against the WoT, IMO are:

  1. Key signing is too hard to do right.

  2. Key signing exposes the social graph.

1 means that people primarily interested in protecting their privacy
don't bother.

2 means that organizations like the Organized Crime and Corruption
Reporting Project (OCCRP) can't use the WoT, because it places their
reporters and sources in danger.

We could perhaps fix 1 by doing more red teaming (i.e., fake attacks
so that people see the actual utility of checking keys), but I'm not
sure that's the best way forward.

:) Neal

More information about the Gnupg-users mailing list