"W. Kinney" says:
This isn't a criticism of PGP's key certification paradigm -- PGP allows centralized certification (I see a few keys signed by SLED, for instance), and it also allows me the flexibility of having mutual certification within the circle of people I mail regularly. But web of trust _in and of itself_ is not proving to be effective when applied to the problem of providing reliable key certification on the scale of the internet as a whole.
I think the jury is still out on that. Web-of-trust is still really untested because of the difficulties in widespread deployment of PGP. As it stands, PGP is still a hacker's toy -- the lack of a library or an easy to use global key distribution infrastructure mean that we have yet to see what can be done. I think that mutually authenticating organizations with small trust pyramids within the organizations, but without a global key pyramid, may come to prove very practical. Perry