It's not clear that the PGP web of trust will survive well under an attack, at least in terms of most users not being fooled.
Someone made a fake PGP for me several years ago, and many people have chosen that over my genuine key when e-mailing me, just because the fake key is newer, even though my genuine key has lots of signatures and the fake key has none at all. (It was probably Enigmail helping them make the choice rather than a clearly informed decision.)
Meanwhile, there is already a complete clone of the strong set with colliding key IDs. That is, people have spent the computing time needed to make a fake version of every single public key, with the same name and key ID and signatures as the real one, just with a different fingerprint. (There's one at https://evil32.com/, but I think at least one other group has done the same thing!)
If someone uploaded those to the keyservers, there would be a fake copy of each PGP public key with the same key ID and the same signature structure (of course signed by other fake keys rather than by other real keys). At that point you would always have a 50% chance of getting a fake key every time you tried to use PGP to contact a new person, unless you consciously manually used an out-of-band fingerprint verification mechanism to bootstrap your selection of what key to use. You would never be safe in just guessing because you "found a key out there" for someone and it "looked right" and "had a bunch of signatures"!.
I'm willing to be more charitable toward the web of trust than someone like Moxie is -- I think more users could be taught to be more cautious, and software could help automate key exchange better -- but my own experiences with having a fake key out there in my name don't make me very optimistic about the way the web of trust is being used today. It's also sad to ponder, as Moxie has, that it seems PGP isn't even being used widely enough to make it worthwhile for attackers to try to DoS the web of trust, let alone to try to trick people into using the wrong keys on a large scale. (That is, PGP hasn't even reached Gandhi's "then they fight you" stage in the mass market.) This isn't to deny that PGP has provided major communications security benefits to smaller communities and groups that have consciously adopted it and use it carefully.
Someone made a fake PGP for me several years ago, and many people have chosen that over my genuine key when e-mailing me, just because the fake key is newer, even though my genuine key has lots of signatures and the fake key has none at all. (It was probably Enigmail helping them make the choice rather than a clearly informed decision.)
Meanwhile, there is already a complete clone of the strong set with colliding key IDs. That is, people have spent the computing time needed to make a fake version of every single public key, with the same name and key ID and signatures as the real one, just with a different fingerprint. (There's one at https://evil32.com/, but I think at least one other group has done the same thing!)
If someone uploaded those to the keyservers, there would be a fake copy of each PGP public key with the same key ID and the same signature structure (of course signed by other fake keys rather than by other real keys). At that point you would always have a 50% chance of getting a fake key every time you tried to use PGP to contact a new person, unless you consciously manually used an out-of-band fingerprint verification mechanism to bootstrap your selection of what key to use. You would never be safe in just guessing because you "found a key out there" for someone and it "looked right" and "had a bunch of signatures"!.
I'm willing to be more charitable toward the web of trust than someone like Moxie is -- I think more users could be taught to be more cautious, and software could help automate key exchange better -- but my own experiences with having a fake key out there in my name don't make me very optimistic about the way the web of trust is being used today. It's also sad to ponder, as Moxie has, that it seems PGP isn't even being used widely enough to make it worthwhile for attackers to try to DoS the web of trust, let alone to try to trick people into using the wrong keys on a large scale. (That is, PGP hasn't even reached Gandhi's "then they fight you" stage in the mass market.) This isn't to deny that PGP has provided major communications security benefits to smaller communities and groups that have consciously adopted it and use it carefully.