[narcissus]

As far as I know, that's pretty much how it used to happen. I do believe there even used to be things called 'key signing parties' which was just a way to get a heap of people to do it en masse. Not to be confused with simply a 'key party', though, I presume.

[joeyh]

  joey@gnu:~>gpg --recv-keys 2512E3C7
  gpg: requesting key 2512E3C7 from hkp server pool.sks-  keyservers.net
  gpg: key 2512E3C7: "Joey Hess <joeyh@debian.org>" 24 new   signatures
  gpg: Total number processed: 1
  gpg:         new signatures: 24

KSP's still seem to be alive and well. I'm sure the NSA has long since pulled in this info about the people I met and signed keys with at Linux Conf Australia this winter. (Of course I Have Nothing To Hide.)

If you're using any Linux distribution, there is certainly use of the web of trust at many points in the development, build, and delivery chain of its software.