[__MatrixMan__]

Biometrics are not a viable solution to the sybil problem.

The more biometric tech converges on the ability to get a cryptographic hash of one's body, the further it retreats from the kind of thing that a layperson will trust. You end up with a root of trust that <1% of the population can verify and then you end up asking 100% of them to rely on systems built on that root. You're never going to be able to convince even a majority of people that some clever hacker hasn't cracked an iris scanner and associated millions of fake ID's with millions of AI's for scam purposes.

It needs to be the kind of thing that lets Alice assert that this key goes with Bob just after she shook Bob's hand in meatspace. Something where, in order for Bob to have two identities according to Alice, he'll have to meet her in meatspace twice and manage to have her not notice that she's already met him once before. PGP key signing parties were pretty much there, they just came too early (and not enough work was done to teach the masses about them).

The web becomes more of a dark forest with each passing day. Eventually the cost of maintaining your part of the trust graph will be lower than the cost of getting screwed by some root of trust that you can't influence or verify. I'm sad to say that I think the point where these lines cross is significantly down and to the right of where we are.

[fc417fc802]

> PGP key signing parties were pretty much there, they just came too early (and not enough work was done to teach the masses about them).

I won't dispute that PGP key signing parties coupled with government ID work very well for certain very specific usecases such as validating distro maintainers.

However for more mainstream and widespread uses that never occurred, what about work on the tooling? I've yet to see a web of trust implementation that really felt like it was properly generalized, scalable, and intuitive to interact with.

Case in point, if you wanted to implement a distributed code auditing solution on top of git and signed commits, what library would you use for the web of trust graph calculations? And would key signing parties be a usable root of trust for that with the current state of the software ecosystem? My personal view is that both of those things are woefully lacking.

[__MatrixMan__]

I'd agree that they're both woefully lacking, but there's nothing fundamental preventing them from being successful, it just hasn't been done yet because our existing institutions are not yet degraded to the point where that juice is worth the squeeze.

Biometrics, on the other hand, are flawed for in a much more fundamental way.