Linux Kernel Proposes Decentralized Identity System to Replace PGP Web of Trust

Current PGP Authentication Challenges

Linux kernel developers currently use Pretty Good Privacy (PGP) with Git integration for signed tags and commits. The system requires a web of trust bootstrapped at a 2011 Kernel Summit face-to-face key-signing session after kernel.org was hacked. Today, kernel maintainers who want a kernel.org account must find someone already in the PGP web of trust, meet them face-to-face, show government ID, and get their key signed.

Linux kernel maintainer Greg Kroah-Hartman describes this process as a "pain to do and manage" because it's tracked by manual scripts, keys drift out of date, and the public "who lives where" map creates privacy and social-engineering risk.

Linux ID: The Proposed Solution

Linux ID is a decentralized, privacy-preserving identity layer that replaces the fragile PGP key-signing web of trust. The system was presented by Linux Foundation Decentralized Trust leaders Daniela Barbosa and Hart Montgomery, along with Affinidi CEO Glenn Gore.

At the core of Linux ID are cryptographic "proofs of personhood" built on modern digital identity standards. Instead of a single monolithic web of trust, the system issues and exchanges personhood credentials and verifiable credentials that assert things like:

• "this person is a real individual"
• "this person is employed by company X"
• "this Linux maintainer has met this person and recognized them as a kernel maintainer"

Technical Implementation

Linux ID is built around decentralized identifiers (DIDs), a W3C-style mechanism for creating globally unique IDs and attaching public keys and service endpoints to them. Developers create DIDs, potentially using existing Curve25519-based keys from today's PGP world, and publish DID documents via secure channels such as HTTPS-based "did:web" endpoints that expose their public key infrastructure.

The system is issuer-agnostic and composable. Credentials can be anchored in multiple ways:

• Government-issued digital IDs (where available)
• Third-party identity verifiers similar to visa application centers
• Employers
• The Linux Foundation itself acting as an issuer

If two developers share trust in different issuers, they can still find overlapping trust paths. The more independent issuers exist, the stronger the overall system becomes.

Timeline and Impact

Linux ID isn't being rolled out yet, but is expected to be deployed within a year. The system is designed to be used by other open-source projects beyond the Linux kernel, providing a more flexible way to prove developer identities without brittle key-signing parties or ad-hoc video calls.