Matt Blaze writes:
I don't think anyone has suggested there's any one problem that "destroys" PGP. Several people have pointed out a number of problems that limit PGP's scalability in various ways. Its flat key ID namespace is one. Lack of functional modularity is another. Its fixed certification model is still another.
Certification really does need to be added to the discussion on scaling. In the sense that I want to be able to download a stranger's key from a key server and have some idea of its reliablility, web of trust has turned out to be a real failure, IMO. There's no "web", rather a large set of disconnected "islands" of signatures. I'm looking at the latest keyring from MIT right now, and noticing that most of the keys are either unsigned or self-signed. The majority of the rest have signatures, but signatures that are unconnected to me via the web of trust, so that they are entirely useless. I suspect that my situation is by far the most common one: the only keys that I have any verifiable authentication for are ones I've signed myself, or ones that are signed by people in my immediate circle. The chain of signatures dies very close to me. This isn't a criticism of PGP's key certification paradigm -- PGP allows centralized certification (I see a few keys signed by SLED, for instance), and it also allows me the flexibility of having mutual certification within the circle of people I mail regularly. But web of trust _in and of itself_ is not proving to be effective when applied to the problem of providing reliable key certification on the scale of the internet as a whole. -- Will