[oceanofsolaris]

I think that your points 2) and 3) are not perfectly reasonable if you really want to reach those who are not yet using encryption.

If you look at how keychains are usually used nowadays, they are an implementation detail you could and probably should hide from non-technical users.

As you say yourself, in order to find a key, you use the search for key button. Which prompts the program to look on a keyserver. You then import the first non-expired key you find for the desired email address. Why not do this automatically? You just annoy users who have to go through two (highly non-self-evident) steps and who do neither know nor care what a 'key' is. They just want to write secure email to their friends. (and btw, does the key-search even go over a secure connection with a pinned certificate? Because else you are not even trying to avoid MITM attacks).

Is it too much to ask these users to read the manual, learn about which kind of key is the most secure yet also compatible with the GPG versions of their friends, find out how many bits theirs should have, have them wiggle their mouse (why, couldn't you use /dev/urandom for most cases?), upload their key to a keyserver, search their friends key from a keyserver, learn about the web of trust and go to a key-signing party? Is this too much to ask? Probably yes. I did not need to acquire a similar amount of knowledge about TextSecure and yet it probably transmits my messages in a more secure form than GPG.

I am not saying that key-discovery is super-easy and all these are completely solved problems. But why do you have to make it so much more complicated for users than it has to be?

[aroch]

PGP is not supposed to be TOFU, friction to adding/trusting keys is part of the point of PGP -- verification of trust.

If clicking a prominently placed button to lookup a key is not intuitive, then how do these users manage the just as unintuitive process of finding, verifying, and installing an application on their device?

Keys are searchable over HTTP/HTTPS, and the HTTP derived (insecure) hkp and TLS-secured hkps protocols. The whole point of PGP is that you don't trust the source of the key without verification, so the protocol over which you receive the key doesn't matter.

There exist a plethora of implementations that hide the trust-building exercise from users, and they're all for instant messaging. You can shoe horn that into email, but why? PGP is based on the web-of-trust principle of verification; if you just want the attestation that UserX probably owns KeyX, use a service that's tied to your phone number or email that doesn't use PGP -- i.e. textsure, telegram, whatsapp, etc.

[oceanofsolaris]

At least the GPG authors seem to be of the opinion that in order to make their programm usable for a larger amount of users, TOFU would be a good idea [1]. I don't see why hiding the trust-building from users is necessarily such a bad thing if it leads to a lot more people using encryption. If you are an expert user, verifying the keys is not impossible for you, even if GPG uses TOFU.

In the end, the current PGP workflow is simply unusable for many people [2]. It might be a good idea to introduce a new and improved encrypted email protocol, but since PGP/GPG are already here and had a lot of developement, why not make them usable for more people? What percentage of your emails are currently sent encrypted? I have currently two people whom I can send encrypted email; 99% of my email is currently not encrypted. I would really love to increase this.

[1] https://www.gnupg.org/blog/20150911-gnupg-this-summer.html

[2] Edward Snowden had a hard time convincing Glenn Greenwald to set up GPG. Even though he made a 12 minute video that detailed all the (horribly unintuitive for a non-expert) steps. So even with a strong incentive (possible whistleblower contact), the difficult setup procedure was enough to scare Greenwald away.