There is at least one major flaw, which is that GPG keys can and often do expire, and this presumes “live” verification of comments and a single global GPG key associated with a domain. So once you replace the master GPG key for your domain, your old comments will flag as invalid/unverified.
One solution would be to have the domain able to list an arbitrary collection of keys (including old ones) rather than a single. Another would be to have one or more trusted sources of archival keys, which could be delegated from your domain with a different link rel. The verifier could make a time bounded request for the domain key from a compliant key server (this would have to be added, right now I don’t think the idea of a domain pgp key exists).
Another solution is simply for the comment publisher to store the fact that the comment was verified and shown it “verified” henceforth. Live verification would disappear as an option once the key expires. This is probably “good enough”.
You can condense the problem to a subset of keys though with a verification chain. When posted, a sequence number + key + msghash + verification result + last verification result is posted publicly. That makes a block. I supposed we could call that a blockcha.... dangit. I almost said the forbidden word.
There's dozens of good uses for, ahem, chains of blocks. Unfortunately they aren't the ones that get implemented. Maybe if there was some sort of token in the mix.
> There is at least one major flaw, which is that GPG keys can and often do expire, ... So once you replace the master GPG key for your domain, your old comments will flag as invalid/unverified.
e.g. GitHub shows whether commits have been signed by GPG.
An expired key doesn't necessarily need its secret replaced. The key can just have its expiry date extended.
This is why PGP subkeys are the way. You can easily expire/extend/revoke subkeys and create new ones attached to the same master key. Re-uploading a new public key with the updated subkeys allows for verification of all historical keys.
Really interisting that this is article is from 2004. To me this gives strong IndieWeb vibes. It's a shame that all the things that require an own domain are never going into the mainstream, not to mention the user experience of having to manually sign a comment before posting it.
This is one of the few things that cryptowallets have brought to the mainstream through things like Metamask. Signing for actions is one of actions Metamask brings forward in terms of usability. Shame that it has to be tied with with crypto or the crypto “web3” world.
Web of Trust was a big part of that toehold for identity. You want some sort of attestation of "this person is who they say they are" and Web of Trust is no worse than paying an Authority (a Certificate Authority) to say that. It's just harder. (That's the trade-off axis there: harder versus more expensive.)
Keybase even almost proved that you could automate a lot more of Web of Trust and make the UX overall much easier. (The LINK tag based approach to attestation in the article here is almost directly a predecessor to that.)
Identity without any attestation is hard to impossible to work with. Web of Trust wasn't the "best" solution to that, but PGP identity was built on/for Web of Trust. Web of Trust was necessary to PGP and was arguably a big part of why PGP failed to be people's preferred identity tech, because Web of Trust was too hard to get right and not enough people trusted Web of Trust.
There is at least one major flaw, which is that GPG keys can and often do expire, and this presumes “live” verification of comments and a single global GPG key associated with a domain. So once you replace the master GPG key for your domain, your old comments will flag as invalid/unverified.
One solution would be to have the domain able to list an arbitrary collection of keys (including old ones) rather than a single. Another would be to have one or more trusted sources of archival keys, which could be delegated from your domain with a different link rel. The verifier could make a time bounded request for the domain key from a compliant key server (this would have to be added, right now I don’t think the idea of a domain pgp key exists).
Another solution is simply for the comment publisher to store the fact that the comment was verified and shown it “verified” henceforth. Live verification would disappear as an option once the key expires. This is probably “good enough”.