[im3w1l]

GPG lost, TLS won. Both are actually webs of trust with the same underlying technology. But they have different cultures and so different shapes. GPG culture is to trust your friends and have them trust their friends. With TLS culture you trust one entity (e.g. browser) that trusts a couple dozen entities that (root certificate authorities), that either signs keys directly or can fan out to intermediate authorities that then sign keys. The hierarchical structure has proven much more successful than the decentralized one.

Frankly I don't trust my friends of friends of friends not to add thirst trap bots.

[lxgr]

The difference is in both culture and topology.

TLS (or more accurately, the set of browser-trusted X.509 root CAs) is extremely hierarchical and all-or-nothing.

The PGP web of trust is non-hierarchical and decentralized (from an organizational point of view). That unfortunately makes it both more complex and less predictable, which I suppose is why it “lost” (not that it’s actually gone, but I personally have about one or maybe two trusted, non-expired keys left in my keyring).

[kevin_thibedeau]

The issue is key management. TLS doesn't usually require client keys. GPG requires all receivers to have a key.

[amenghra]

Couple dozen => it’s actually 50-ish, with a mix of private and government entities located all over the world.

The fact that the Spanish mint can mint (pun!) certificates for any domain is unfortunate.

Hopefully, any abuse would be noticed quickly and rights revoked.

It would maybe have made more sense for each country’s TLD to have one or more associated CA (with the ability to delegate trust among friendly countries if desired).

https://wiki.mozilla.org/CA/Included_Certificates

[wkat4242]

Yes I never understood why the scope of a CA was not previously declared as part of their CA certificate. The purpose is (email, website etc) but not the possible domains. I'm not very happy that the countless Chinese CAs included in Firefox can sign any valid domain I use locally. They should be limited to anything .cn only.

At least they seem to have kicked out the Russian ones now. But it's weird that such an important decision lies with arbitrary companies like OS and browser developers. On some platforms (Android) it's not even possible to add to the system CA list without root (only the user one which apps can choose to ignore)