PGP is downright user-hostile once you're not using web of trust. So it's true, that you don't have to use web of trust. But PGP goes out of its way to make your life hell.
For example, let's say you have a key (as an ordinary file) and a signed message in hand. How do you check that this key has signed this message, using the gpg command-line tools?
The problem with PGP is that it combines web of trust and the mechanical actions of signature verification and cryptography into one tool. It forces you to use one program both to express "trust" and to do signature verification. God forbid you should ever want to sign or encrypt something without futzing about with your keychain.
This imports a key into my keychain, maybe I don't want to import this key? It also doesn't tell me if the message was signed with the key I specified, I have to do that myself, maybe by looking closely at the output? Awful, 3/10.
For example, let's say you have a key (as an ordinary file) and a signed message in hand. How do you check that this key has signed this message, using the gpg command-line tools?
The problem with PGP is that it combines web of trust and the mechanical actions of signature verification and cryptography into one tool. It forces you to use one program both to express "trust" and to do signature verification. God forbid you should ever want to sign or encrypt something without futzing about with your keychain.