The Debian project is one of the heaviest users of the OpenPGP Web-of-Trust (WoT): Not only we use OpenPGP keys as one of the main ways to identify to different parts of our infrastructure (mainly, package uploads and GR voting), we also give a lot of weight to the relations, the connectedness, the social graph that the WoT draws for us. The WoT is, however, under attack from many different flanks. Protocol vulnerabilities, a threat model not compatible with current regulations (GDPR, I'm looking at you), and an Internet much less naïve and forgiving than the one that existed in the early 1990s force us to reconsider how the WoT works and how we use it. I am doing my PhD work following this line of thought, and I want to share with the project my work so far. The work is quite far from finished (and I want to use your input to help me fill in the blanks).
Speakers: Gunnar Wolf