Is there a functional web-of-trust for GPG? My understanding (and personal experience) is that if I want to message somebody using GPG, it’s super unlikely I can derive a pathway through the web-of-trust where I trust somebody who trusts somebody who trust somebody until we eventually get to my intended recipient. Even if that works, it banks of everybody in the chain having done a legit validation of identity, and there’s no way for me to know if they did (vs just picking a key off the web, signing it, and pushing that sig). And even if they did push that sig, where do I get the signatures from, given that the primary key servers used by GPG users are afflicted by a denial of service attack that was disclosed years ago?
I’d bet that the majority of GPG usage involves checking the public key against the website of the other party (for example, against a fingerprint on a project’s site, or the person’s blog), and then maybe checking against another source posted by that person.
Keybase is just some syntactic sugar around the “check the person’s sites for their fingerprint”. But I’d argue that if we’re going to just use that as a validating mechanism, we might as well just use minisign or Signal, depending on whether I’m validating package signatures or trying to send a message.
They aggregate the signatures but the proofs of identity exist on disparate publicly viewable sites/applications. They commit the state of the signature chain on the public blockchain. So I wouldn't call it completely "centralized"/trusted where you're blindly trusting their SQL database is correct but not "perfectly" decentralized/trustless either.