[akerl_]

This is a fun kind of paradox. Right now it wouldn't scale well because signing parties are a niche nerd activity and having your identities signed by other GPG users doesn't really help with anything you'd want to do with a bot.

But if you were to actually succeed in making key signing parties a more common thing that people used to test for human-ness, and that test was tied to meaningful things online, it would both become easier to fake and more valuable to fake.

[lrvick]

When you sign a key you pick a trust level. If no one reputable has ever trusted a persons key with a higher level than "human", then that key should be subject to significantly higher scrutiny.

If you look at my key, you will find it is heavily connected to the keys that sign most linux distributions, bitcoin, and commits to the Linux kernel today.

If those 5444 linked identities that long pre-date AI are colluded to create a fake me and fake people that signed people who signed me over the last 25 years, and got those fake fingerprints in the keychains of every distro and got matching fingerprints on thousands of privately owned sites, we indeed have serious problems.

[akerl_]

Yes, that would be the conundrum I was describing. If your plan were to work, the idea of a signer being "reputable" would be watered down into nothing.

[lrvick]

Well, it is working as intended, right now, and the binaries running on the servers we are communicating with right now were likely signed and validated with Linux maintainer PGP keys because it is the only standard and decentralized option.

PGP does not need mass adoption to function, but with solutions like keyoxide offering a more accessible trust onramp, it is there for anyone that wants to self certify and take control of their own identity today, and get signed by trusted community members tomorrow at a conference.