I think he understands that in general. The problem is that, in practice, the "web of trust" depends on significant numbers of users trusting other users to verify still other users on their behalf, which is in practice something most people are (or should be) loath to do.
I think we need to rely on this at some point, though. If my friend Alice introduces her friend Bob to me, that's my only way of determining that when Alice is talking about Bob, it's this Bob and not a different Bob.
I actually don't think there is a problem with the concept of a web of trust per se. It's a fact of life. I think that the software doesn't help you use it appropriately. Even if Alice says that a person is Bob, I should not be fooled into thinking that it really is Bob, or that Bob is trustworthy. All it says is that when Alice talks about "Bob", she means this person who we're calling "Bob". If "Bob" then introduces me to "Cathy", we shouldn't be fooled into thinking that it really is Cathy. However, it's still very useful to know that Cathy is Bob's friend who is Alice's friend. If Alice tells me to talk to Bob's friend Cathy, I can be totally comfortable talking to the "Cathy" that Bob introduced me to.
Just to make a more concrete example, imagine that you have a problem with your software. You contact the company that supplies it and somehow determine that the person you are contacting is really operating on behalf of the company. They refer you to second line support. It would be incredibly useful to know that the second line support person you are talking to is, in fact, the second line support person you've been directed to and not a man in the middle. You don't care who that second line support person is. Maybe they aren't using their real name. Maybe they are an illegal immigrant. None of that matters to you. All you care is that they are the person you were directed to. And if they direct you to third line support, you care that the person you are talking to is the person you were directed to.
People get hung up on the wrong things with PGP IMHO. They check people's passports and include photos in their keys, etc, etc. I mean, great if you are the government trying to ascertain if a key really belongs to a citizen, but completely useless for most practical purposes. All you care about is that chain.
The kernel of the conceptual problem with this web-of-trust feature is in another Filippo post[1]: when I sign someone's else's key, it is difficult (in practice: impossible) to really know the provenance of that key. The signer could have gotten the key from a keyserver (in which case you now transitively trust the keyserver). Or they could have gotten it from a random email saying "this is my new key". You don't know; the basis for trust isn't there, or rather, to the extent it is, it's only there across strong, short paths in the graph of key signatures; it doesn't scale out to the whole "web".
I'm definitely not arguing against that. I think keyservers are one of the worst things to ever happen. PGP's implementation of the web of trust is hugely flawed. I'm saying the concept is still incredibly useful. I get frustrated when I see suggestions that we should abandon the notion signing other people's keys because users can't be trusted to do it properly.
I think the author of the article you link to is mostly right. Long term keys don't make much sense most of the time. A key that's signed by a million people is useless. I only care that it's singed by the people who are relevant in the context for which I'm using it. Relationships change too. If I've got a key from level 1 support to a level 2 support person, I can't trust 6 months later that the level 2 support person still works at the company. You need to have a context to describe the link in order to understand it. PGP (and by extension GPG) are absolutely horrible in that regard.
I find it ironic that the author says that the best way to reach them is by their Whisper number. This is what frustrates me. We exchange "horribly flawed implementation" for a central trust broker -- who may or may not be trust worthy.
I still think this is a problem of public key servers being a broken idea, rather than PGP itself.
It's 20 years since I've been to a key signing party, but there are still several small circles of trusts where I have very good ideas about the trustworthiness of each member and of the overall circle.
I still trust the crypto that PGP (and OpenPGP) uses. (With the caveat of no forward secrecy unless you try to handle that yourself).
I'm not entirely sure I've _ever_ trusted a key server provided public key, beyond the use case of trying it to open a conversation in which I can verify (to whatever level is needed) whether the person on the other end is the person I am trying to communicate with.e
If only distributed signatures included trust levels -- then you could at least attempt something like that. Though unfortunately trust levels are themselves incredibly coarse and subjectively determined (does "I trust fully" mean "I checked 6 forms of government ID" or "I know this person by their handle"?).
To be honest, I think Keybase has the only workable solution to this problem for modern online personalities -- tie it to directly to your other identities online such that you would need to break into many accounts in order to fake someone's identity. And individual users can decide for themselves what threshold of trust they have for someone.
