As indicated, this is a general question and I’m okay if you have a reference to punt this to…

But I’m wondering about keyservers and if there is still a “web of trust” in 2022.

Clearly, with spam issues and attacks against the infrastructure and processes there was a need for keys.openpgp.org. I haven’t followed things as closely as I was when I first started with PGP, but I’m trying to reset expectations (the previous being that “theoretically” all keyservers would eventually distribute all keys.

So, from the perspective of the team, how obsolete is that idea? Is it that there is still a network of keyservers or are there separate networks based on technology, protocols of key verification, measures to protect email identities, and or usage profiles?

I was used to using tools on macOS to verify keys and occasionally signed signed package downloads for other platforms - this doesn’t seem to work as well as the UI really wants to encourage me to just use the default keyserver. The other thing that doesn’t seem to work is having people using Thunderbird for Linux whose keys are… where?

And/or, to what extent have most people migrated to a TOFU policy?

This is sort of a FAQ, but also I’d love some clarity on what is current practice. Thanks!