[kjs3]

Since PGP has almost no serious real-world adoption (search your feelings; you know it to be true)

Checks...it's not true. Maybe the original email use case never caught on, but that's not the only one. For example, PGP is a standard way to transfer Visa, MasterCard, or Diner's Club credit card transaction files. We have thousands if not tens of thousands of entities transferring PGP encrypted files every day, and we get new requests for PGP enablement on a regular basis. This is a deeply embedded business process (even embedded in many corporate financial systems like Oracle Financials), and it's not going away any time soon.

Other use cases...yeah, PGP should go away.

[tptacek]

Not only should PGP go away for that use case, but it easily could; very few people would need to be convinced to upgrade it to a better format. What's held that back from happening is nobody agreeing on what that better format is; it's the same reason we're only now getting WireGuard after almost 2 decades of IPSEC VPNs.

[kjs3]

Not only should PGP go away for that use case, but it easily could

Says someone who has never had to do it.

very few people would need to be convinced to upgrade it to a better format

Only the tens of thousands of current users who I personally have who would see no reason to change something that currently works and is secure. I have, in fact, suggested a number of better solutions over the years.

Hell...it took us 10 years to convince all the third parties that plain FTP was probably a bad idea. And there's still a tiny handful of very, very large companies that still say 'meh' and force us to keep an FTP server around.

Must be nice to not have to deal with real customers.

[tptacek]

Is there someone you know with a similar name to mine that you think you're talking to? The kinds of issues you're talking about are my actual full-time job.

[kjs3]

Oh, my...don't you know who I am?. Classy. I guess my aversion to being Internet Famous makes me easy to condescend to.

My "actual full-time job" is building and operating security teams for Fortune 1000 sized companies, not startups. These kinds of issues are also what I do every day. I just do it with far more customers, internal stake holders, budget, technical debt, politics, employees, governance, geography, etc., etc. And I actually do those hard things; I don't just say "you should do this...it should be easy".

Consider that just maybe your perspective doesn't represent the totality of the security landscape. Things that are easy when you're consulting to the latest Foo of Bar startup or whatever is spooling out cat videos this week are very, very hard when you're dealing with entrenched, interconnected business processes processing billions of dollars of other peoples money. Just a thought.