If the measure here is "I met this person at an event and they were a human", and the protocol becomes actually important for proving personhood, what is the measure that stops somebody from turning up to a bunch of events and getting "human" keys signed to then repurpose for bots?
Because this is too expensive to scale, and people talk in small circles about who has signed who. Good luck inventing thousands of fake identities with a long trust history and reputation with this approach.
Botmasters like situations where they can hide offline and buy bots blue checkmarks with stolen credit cards.
This is a fun kind of paradox. Right now it wouldn't scale well because signing parties are a niche nerd activity and having your identities signed by other GPG users doesn't really help with anything you'd want to do with a bot.
But if you were to actually succeed in making key signing parties a more common thing that people used to test for human-ness, and that test was tied to meaningful things online, it would both become easier to fake and more valuable to fake.
When you sign a key you pick a trust level. If no one reputable has ever trusted a persons key with a higher level than "human", then that key should be subject to significantly higher scrutiny.
If you look at my key, you will find it is heavily connected to the keys that sign most linux distributions, bitcoin, and commits to the Linux kernel today.
If those 5444 linked identities that long pre-date AI are colluded to create a fake me and fake people that signed people who signed me over the last 25 years, and got those fake fingerprints in the keychains of every distro and got matching fingerprints on thousands of privately owned sites, we indeed have serious problems.
Yes, that would be the conundrum I was describing. If your plan were to work, the idea of a signer being "reputable" would be watered down into nothing.
Well, it is working as intended, right now, and the binaries running on the servers we are communicating with right now were likely signed and validated with Linux maintainer PGP keys because it is the only standard and decentralized option.
PGP does not need mass adoption to function, but with solutions like keyoxide offering a more accessible trust onramp, it is there for anyone that wants to self certify and take control of their own identity today, and get signed by trusted community members tomorrow at a conference.
