Comment Re:Transitivity of trust (Score 2) 110
Just because you trust somebody doesn't mean you trust him or her to trust others.
Very true! If I meet a person face-to-face, they hand me their PGP/GPG public key, and they show me plausible-looking picture ID that matches the identity that their key claims to represent, then I can mark their key in my keychain as one that I'm confident is not a forgery. If they are otherwise a stranger to me with no well-known reputation, then I can register in my keychain that their signature on somebody else's key doesn't count for much. Or if they are a well-known person with a reputation of being very careful about whose keys they sign, I may register in my keychain that I tend to trust keys that they have signed. The web of trust system is pretty well configurable.
I may also sign their key with mine to let other people know that "I, NF6X, consider this key to belong to the individual it claims to belong to". You may or may not consider that to be of value, depending on how well you know me and what you think of me.
This seems to be a reasonable model to me, and I think it's better than the "one CA to rule them all" model used for things like SSL certificates. It's difficult to scale the model well, though. I don't know of any other PGP/GPG users near me and I began using these systems long after I graduated from college where I might have had many more opportunities to sign others' keys and have mine signed. So, I'm not part of the web of trust, and I'm unlikely to become one unless I go out of my way to travel to a key-signing party to meet some well-known and reputable people. The few people with whom I exchange PGP/GPG-encrypted traffic are strangers to me, and I have no way of being strongly confident that they are who they say they are.