[noman-land]

One thing I don't like about key signing is that

1. You reveal your social graph

2. Different instances of the key can be differently signed

For someone to sign your key that information has to be stored on your key or in a central location.

[purplehat_]

The first bit seems possibly solvable with private set intersection. You can publish a salted hash of everybody you trust, and I can compute hashes of everyone I trust with your salt to see if we have anyone in common. Then I check the signature corresponding to the salted hash I like, and hopefully it doesn't reveal anything you don't want to reveal.

I don't know if anyone has actually done this in practice. Does it work?

[lrvick]

Having a public graph is critical for trust in Linux distributions. All it means is a human met you and agreed you are human and signed your key. It does not imply you are friends.

It is pretty useful for someone totally outside the trust graph to be able to prove the key that just signed the latest release of stagex is only a couple steps away from the keys that sign debian and the Linux kernel. Keys that long predate AI.

Public trust accountability is exactly what we want from people responsible for the legos that make up the internet.

You can of course have private signature packets revealed as needed though.

[tptacek]

People are not Linux distributions.

[lrvick]

But Linux distributions are made of people.