Warning: random PGP musings ahead....
it's been obvious to me since the 90s that the hierarchical models of
trust (CAs, corp signing authorities) are simply restricted webs of
trust. So the WoT model is a more general one than the hierarchical one:
you can represent hierarchy as a WoT (the user trusts the root keys,
trust flows from there), but not vice versa.
I've been saddened by the crippled state of WoT-manipulating user
interfaces since roughly forever.
They seem to be utterly incompetent in answering questions like:
- Are there any friends who have signed for this guy?
- Who do I need to trust in order to trust this guy's key?
- Who are the guys that signed this guy's key, and how can I insert them
all into my keystore?
- How well is he connected into the Web of Trust - is it just one arc,
or a good mesh?
And of course they all seem to have been tested with a trustdb of ~20
keys; doing anything on a trustdb the size of my email directory (order
of magnitude 1000) is just too slow for words; copying the signers of my
correspondents' keys into my keystore would render the UI completely
useless.
I believe the Web of Trust has a great potential as a basis on which to
represent many different trust policies. But the current state of tools
to interrogate and update a trustdb according to those policies is
simply not fit for the task.
Harald