Note that the author of this post, Filippo Valsorda, is a professional cryptographer. He works for Google, and used to work for Cloudflare.
So it’s a fair bet to say he’s vastly more knowledgeable about the matter than the overwhelming majority of readers of Privacy Tools IO, or similar sites.
And yet, he says he has never understood how a fundamental piece of the PGP process is supposed to work, and therefore he has never applied it (presumably breaking the security of the whole chain). He also says practically nobody ever applies it. Here (emphasis is mine):
OpenPGP is an encryption and signing protocol from the 90’s. It comes with a pretty idealistic solution to identity management and key distribution called the “web of trust”. How it works is that you and I have a private and a public key, and once we meet and you verify that I am who I say am, you sign my public key, effectively making the statement “I am Alice and I verified that this is indeed Filippo’s key”. The idea is that if enough statements like that are published, they form a web, and two people who did not meet can chain a path through it to securely find each other’s public key, to send each other emails, 0-days, or whatever.
I never got this to work for a number of reasons¹. For example, it was never clear to me whether signing a key meant that I’d verified the person’s identity, or that I then trusted them to verify other people’s identities. In the latter case I would never sign a stranger’s key, and in the former case there is no transitive trust to build chains out of.
(1) In my experience, neither has anyone else. Every use of PGP I’m aware of involves pre-shared keys, or just randomly trusting the first key you download. Notable exception, the Debian developer community built its own web of trust which seems to work.