The problem runs deeper than UX in plugins for mail clients. Offline key exchange is inconvenient enough that it prevents GPG from being used as encrypted-by-default mail. Identity and key management is really the underlying issue, something in the spirit of CONIKS might be good enough to build a working system though. As OP points out even then you have issues with multi-device support.
While offline exchange is needed for proper security, for casual snoopers having a the clients generate the pair, embed the public in every outgoing, grab publics from incoming, and encrypt by default for outgoing from that point on, would be a major step up from the status quo.
> Offline key exchange is inconvenient enough that it prevents GPG from being used as encrypted-by-default mail.
I would love to simply sync users' keys between their devices and encrypt opportunistically like OTR does. Offline key exchange would only be necessary for verification purposes at that point. I see user key management as the harder problem than exchange.
> The problem runs deeper than UX in plugins for mail clients.
UX runs deeper than software interfaces.
> Identity and key management is really the underlying issue
Yes, that's a UX issue.
So:
- Get GPG key from Facebook (which has them as part of the standard profile today)
- Say to person: you should contact this person by a means you trust and confirm this is their key (since we don't trust anyone by default).
- Once they click OK, they can now send messages to that person.
Nothing stopping other mainstream sites from adding GPG, it's jus that FB is the only one I know of. Obviously GitHub doesn't count since most people aren't software developers.
Well yeah, that's why I addressed it in the post you're replying to. Offline key confirmation is still the best bet for most people, it's just that people don't use it because they don't use crypto because crypto tools are awful.
