Plan B - Who carries the torch?

Konstantin Ryabitsev konstantin at linuxfoundation.org
Tue Jan 5 17:34:22 CET 2021


On Tue, Jan 05, 2021 at 09:46:01AM -0500, Robert J. Hansen via Gnupg-users wrote:
> On Tue, 2021-01-05 at 15:38 +0100, Werner Koch via Gnupg-users wrote:
> > Virtually nobody uses the WoT...
> 
> Strangely, the Linux kernel folks still use it a decent amount. 
> They're the only large group I can think of offhand, though.

Debian is much larger, though they've been moving away from the web of trust
based on keysigning and towards a scheme based around signed digital
documents (same idea, but certificates aren't bundled with keys themselves).

The use of WoT is not really that strange. WoT works better than most
alternatives in setups with decentralized infrastructure. While kernel.org
does act as a "certification authority" of sorts, we merely check and enforce
the web of trust before issuing accounts. Every step of the process is
transparent and can be verified, per this document:

https://korg.docs.kernel.org/pgpkeys.html

-K



More information about the Gnupg-users mailing list