> I think it is reasonable to observe that the current PGP WoT is designed to try to unambiguously and unimpeachably map public keys to entities (if not necessarily literal human beings).
I don't really think the PGP WoT can "unambiguously and unimpeachably" provide that mapping, or is even intended to. At best, I think that the WoT documents trust relationships between entities with keypairs.
I actually really like this feature of the WoT, because I think it does a good job of simulating the actual trust relationships between people in real life. In a private conversation, I might imagine a friend vouching for someone another person as trustworthy; a key signature from my friend does something similar, in a secure fashion. This is good because I don't want my web of trust or social network to be able to say "this key is certain to be trustworthy": after all, it can't actually guarantee that. But I don't mind seeing trust opinions from my friends, and their friends' friends.
If anything, I think the trust relationships in GPG ("unknown", "marginal", "full") are too unclear, and I know that these numbers mean different things to different people. I'd prefer the ability to add a short note to the signature so I could say something like,
"I know this person well and you can be confident that this key is theirs, but I don't think they're careful enough to trust their signatures."
I've never understood why a weighted WoT system has never become popular. I trust some friends implicitly, and I trust some other friends less. I trust friends of friends, but generally less than I trust direct friends. I'm still willing to trust someone who two friends friends know, and if you can trace me a dozen lines to Kevin Bacon, I'll trust him, too. Sure, there's some hard graph theory and weighting to be done, but I can't imagine those aren't problems that can be solved with modern big-data techniques.
If someone sends you an email and you partially trust the key, how does that map to the contents of the email? How does it map to executable code? Source code? Images? Digital signatures?
It's like saying some people's trust is a square circle. It's a correct sentence but it doesn't map to any meaning usefully.
As two examples: Partial trust means you trust a key for different purposes, or for different levels of validity.
Different purposes: "Do I trust that this key correctly identifies this person?" is a separate question from "Do I trust this person to do proper verification before signing others' keys?" (i.e., trusted link in the Web of Trust)
Different validity: "I've met this person and verified they own the key", is different from, "They've identified themselves with two forms of government ID", is different from "I've known them all my life".
I don't really think the PGP WoT can "unambiguously and unimpeachably" provide that mapping, or is even intended to. At best, I think that the WoT documents trust relationships between entities with keypairs.
I actually really like this feature of the WoT, because I think it does a good job of simulating the actual trust relationships between people in real life. In a private conversation, I might imagine a friend vouching for someone another person as trustworthy; a key signature from my friend does something similar, in a secure fashion. This is good because I don't want my web of trust or social network to be able to say "this key is certain to be trustworthy": after all, it can't actually guarantee that. But I don't mind seeing trust opinions from my friends, and their friends' friends.
If anything, I think the trust relationships in GPG ("unknown", "marginal", "full") are too unclear, and I know that these numbers mean different things to different people. I'd prefer the ability to add a short note to the signature so I could say something like,
"I know this person well and you can be confident that this key is theirs, but I don't think they're careful enough to trust their signatures."