This makes so much sense since every identity exists in the context of some authority, some common referential. You're never completely alone as the pgp-classic web of trust implies, instead you're trusting some centrally managed keys like your distros packet signers wich you always blindly accept.. The problem is we rarely sign keys as introducers (and rightfully so) since being a CA is a big responsability. CAs are not real persons. We should probably trust a handful of public CAs with well-defined scopes (some private network, some org), a couple smaller private groups and the exceptional direct trust for the closest friends we interact with daily..

Looking forward to using this.. Although in my case the source of thruth wouldn't be openpgp keys but perhaps wireguard keys to our vpn or maybe omemo or ssh keys.

In practice the public CAs didn't quite work out. www.cacert.org tried it, and was interesting, but didn't work out in the end. Especially now its a bit of a joke with the login page on http and the website certificate not being cross-signed, so you have to accept them explicitly.

cacert.org unnecessarily tried to merge real-world authentication of people with certificates to sites.

I really like the term "Scoped Trust Signatures" and will steal it. An informative way to describe that mostly unknown and underappreciated OpenPGP feature.

This is huge.

OpenPGP can becope usable in a scope of a realistically large organization, and most of the hassle can be put on the shoulders of dedicated IT people, instead of every user.

What's the difference between this and an in-house centrally managed CA?

I'm guessing you specifically mean a SSL/TLS CA? This is for PGP keys instead of X.509 certificates.

While you're 100% correct, some organizations use S/MIME to send signed and encrypted emails with their TLS x.509 certs signed by their companies TLS CA.

But you can also get your X.509 cert signed by a public CA and then anyone on the internet can verify your S/MIME signed email.

In practice I've only seen this in government and government contractors, but I'm sure it is done else where.

The flaws with the above approach.

1. Smaller adoption that OpenPGP

2. You normally cannot encrypt outside your organization because their is no method for key discovery. Though if you received a signed message in the past, I believe you can use that.

3. Using pubic CA infrastructure means any trusted Public CA can impersonate anyone.

The OpenPGP CA solves all these problems because pgp Web Key Directory (WKD) and that is automatically scoped to domains.

I'll also add the the federal US government makes extensive use of personal TLS certificates, and they store the private key material on a smartcard embedded inside your ID.

Your cert is used from everything from signing and decrypting emails to gaining access to sites to signing attestations that something happened.

Partially true. TLS stands for "Transport Layer Security". TLS certificates are used on servers to encrypt communication. The certificates on the smartcard are used for digital signatures, encryption, and authentication. All of those certificates follow the X.509 certificate standard.

This is an in-house centrally managed CA.