> WoT as realized by PGP seems to me to be a very good tool for manually assessing whether to trust a previously unknown key for someone that a third (untrusted) party sends you.
That article isn't particularly relevant to what I said.
The issues it describes only affect keyservers that behave in a specific manner. I'd also argue that a keyserver behaving that way in the first place is fundamentally flawed for the reason pointed out by @tialaramex above - trust isn't transitive in the generalized case (nor is it boolean IMO).
It is still entirely possible for a small group (say a FOSS software project) to engage in cross signing. Previously unseen keys received from an untrusted (or less trusted) third party can then be judged on a case by case basis by manually assessing how many times they have been signed and by which keys.
(Similar to above, I believe Matrix employs cross signing among the keys of a single user.)
The issues it describes only affect keyservers that behave in a specific manner. I'd also argue that a keyserver behaving that way in the first place is fundamentally flawed for the reason pointed out by @tialaramex above - trust isn't transitive in the generalized case (nor is it boolean IMO).
It is still entirely possible for a small group (say a FOSS software project) to engage in cross signing. Previously unseen keys received from an untrusted (or less trusted) third party can then be judged on a case by case basis by manually assessing how many times they have been signed and by which keys.
(Similar to above, I believe Matrix employs cross signing among the keys of a single user.)