Good points @zincfoam! Let me address each of them in turn. You may know about these concepts already, but I’ll add some additional explanation for others to understand too.
Handling keys by non-technical users
Cryptographic keys are different beasts than passwords. Cryptographic technologies mostly exist in a layer that is hidden from view of regular, non-technical users. You use them without being aware of them, like when you browse secure (HTTPS) websites. Under the hood keys, certificates and truststores do the work of ensuring your connection is secure. If two ProtonMail users exchange emails, then the service ensures that the mails are signed and encrypted. Etcetera.
Keys are not meant to be human-readable and memorizable (they are very long random-looking chararcter sets).
There is some management of keys that is similar to handling passwords, however, e.g. when the key exchange mechanisms in this ‘Web of Trust’ use public-key technology, then there are private keys that are strictly private and must be protected, while public keys can be exchanged freely.
A key provider must provide secure access to your keys, and could use a password mechanism for this, accompanied with e.g. two-factor authentication (like confirming access using your phone). When there is need to carry private keys around, then they could be stored on a bank card and protected by a pincode (where 3 failed access attempts locks the card). There are many methods to deal with keys securily.
Laws and regulation
There is no explicit need for all the appropriate laws and regulations to be in place. The Web of Trust technology can stand on its own. But it would certainly help is regulation was designed in support of the technology.
Besides the GDPR many countries already have other laws in place that could be applicable to breaches of trust. Like when you steal someone’s key and gain illegal access to personal information, then this may constitute a cybercrime.
Laws - if they exist - can be transformed to Claims in the technology layer. This means that as an end-user I can make an informed decision whether I trust a 3rd-party with my data. If the service I want to invoke can’t make any valid Claims, because e.g. the server is hosted in North Korea, then I can decide not to use it.
The amount and nature of the valid claims a sevice can provide thus establishes its Authoritativeness, its reputation, if you will.
Accessability and scope of Web of Trust
Yes, you are right in stating that large parts of the world do not have access to technology, like we do in the West.
An important point, however, is that the Web of Trust, pertains only to The Web i.e. the internet and those that already have access to it. The identity system outlined in my previous comment is not meant to be an universal system for identity that also extends to the ‘real world’ (outside of the web). Nothing changes there, and you have passwords, bank cards, birth certificates, etc. to prove your physical identity. Web of Trust is about your Digital Identity.
This does not preclude a translation of the Universal Declaration of Human Rights to the Digital Realm, that states that every person in the world has the right to have a Digital Identity.
Cryptography, identity and encryption
Do not confuse cryptography with encryption. They are different things.
I can use a key to sign content that was created by me, which allows other to establish with confidence that I was indeed the creator. This mechanism also extends to verify that the content I receive was tampered with and modfied by some man-in-the-middle, a nefarious actor. So keys establish Identity and Authenticity.
I am sure that countries such as China do not have a problem with the above use of key cryptography. Many governments including that of China, but also Australia (see: Australia anti-encryption law) and the US, however, have issues with Encryption. Under the guise of fighting terrorism they want to be able to spy on anyone’s information exchanges on the internet.
But encryption is an optional next step that can be achieved with key cryptography. Ensuring online privacy of communication (using encryption) is a universal right that we should fight for, but it does hamper the Web of Trust concept (though weak encryption, means weaker assurances of trust).
Issuing Claims and establishing Authority
You are once again right, about large parts of the world population not having government-issued identity cards. I should clarify that a governent Claim of your Nationality is just an example (therefore the ‘may’ in my sentence).
Anyone can issue Claims, and there may be more ways to establish your Nationality. Note that on many occasions you wouldn’t need to state that claim to establish trust. The Web of Trust in that respect is very similar to how trust works in the real world.
If I want to approach a friend of yours whom I don’t know, then - for her/him to trust me - it would be sufficient for me to show that person a valid Claim provided by you to me, stating that I am your friend.
If on the other hand I would be posting an article to Bloomberg, stating that I was “Barack Obama”, then Bloomberg would require me to provide a number of really strong Claims to prove that fact. If the only claimable fact was a server IP address in Nigeria, then Bloomberg would immediately reject my article (and flag me as untrustworthy).
Note that the Key Providers are decentralized, just as the web is inherently decentralized. This means that I could run my own key provider server, or host one with the people in my neighborhood. I can create as many keys as I want, but they are not of much value without claims attached to them.
To establish Nationality, instead of my government, my bank may be willing to provide it. The claim may be less trustworthy. Maybe you don’t trust my bank. It could also be provided by e.g. the UN, or Unicef, or any NGO or even commercial party, if I can convince them to provide me that claim (e.g. by showing registration papers of my city, or whatever).
Breaches of trust and Security
Last point, and also mentioned earlier, the technology and law go hand in hand. Insufficient law does not hamper the Web of Trust technology to be used.
Regarding actual breaches of the law: Data breaches and stolen identites (like Ashley Madison, Marriott, etc.) are very much in the news these days. More and more data breaches occur. Every hacker, government and commercial entity is out to get our personal data.
But these breaches mostly occur, because the systems where the information was stolen from, are inherently insecure. There is much sloppiness in their implementation in general, because monetary incentives prevailed when creating them, not privacy and security.
Embedding well-designed cryptographic solutions into these systems would greatly increase security and privacy. Cryptography is a very complex subject, and can be easily implemented the wrong way. But it is good to know that experts in these fields are pushing the technology and creating applications, libraries, projects and best-practices for application developers that hide these complexitiies.
Adoption of these solutions is important for the Web of Trust to come about, and this is a slow progress unfortunately, because of the need to standardization and interoperability of systems.