[jakehansen]

HPKE allows you to use private/public keypairs that are signed by a trusted authority, therefore enabling two parties that have never met prior to securely communicate. That is, as long as they trust the same authority.

Another major benefit of HPKE is a shared key schedule. Two parties can generate as many symmetric keys as they would like over a persistent conversation. This kind of provides ‘sub keys’, but within the context of a conversation, as they are not long lived.

GPG’s web of trust model is powerful but is limited in contexts where you have no prior trust. The world’s existing PKI structure, with a handful of root CAs, is already well established and trusted by nearly every device on the planet.

[exabrial]

I should have specifically named Web of Trust as the not-so-useful part of PGP. I'm not a fan and it never worked out in practice.

In essence: you're correct about that part.

[upofadown]

>GPG’s web of trust model is powerful but is limited in contexts where you have no prior trust.

With the WOT you can choose who you trust. In particular you have the choice not to trust every single one of the several thousand second level CAs that currently exist.

None of this explains what HPKE is and why anyone would be interested in it.