[peter487]

I am not sure if such system existed in the past or if I read about it in some sci-fi book, but it worked as follows:

You generated your key pair. In (almost) every country in almost every city there were “key signers” (basically trusted members of the PGP community). You met with them and they verified your identity and signed your public key. You needed to visit couple of them to get enough signatures to obtain certain level of trust in the PGP community. Once your level of trust was high enough you could start signing keys of other people. Too good to be true I guess…..

[narcissus]

As far as I know, that's pretty much how it used to happen. I do believe there even used to be things called 'key signing parties' which was just a way to get a heap of people to do it en masse. Not to be confused with simply a 'key party', though, I presume.

[joeyh]

  joey@gnu:~>gpg --recv-keys 2512E3C7
  gpg: requesting key 2512E3C7 from hkp server pool.sks-  keyservers.net
  gpg: key 2512E3C7: "Joey Hess <joeyh@debian.org>" 24 new   signatures
  gpg: Total number processed: 1
  gpg:         new signatures: 24

KSP's still seem to be alive and well. I'm sure the NSA has long since pulled in this info about the people I met and signed keys with at Linux Conf Australia this winter. (Of course I Have Nothing To Hide.)

If you're using any Linux distribution, there is certainly use of the web of trust at many points in the development, build, and delivery chain of its software.