On Sep 6, 2013, at 10:18 PM, Scott Brim <scott.brim@xxxxxxxxx> wrote: > Dilution of trust is a problem with PGP. "I know this person as X" is way too lax if you want the system to scale. It's naive to think that keys are any more trustworthy than this, because any signature's trustworthiness is only as good as the trustworthiness of the individual who decides to sign it. If you trust a key signed by someone you don't know, but who someone you know trusts, just how trustworthy is that? The web of trust scales just fine if you don't expect too much from it. If you expect the kind of trustworthiness you seem to be talking about, then it's pretty much useless, because you can really only trust yourself to that degree. I don't know if this is the sort of absolutism Ted Ts'o was talking about, but I think it is. Sometimes best is the enemy of good enough, and this is particularly true when best is actually not achievable anyway.