Looking forward, however, I think of GPG as a glorious experiment
that has run its course. The journalists who depend on it struggle
with it and often mess up (“I send you the private key to
communicate privately, right?”), the activists who use it do so
relatively sparingly (“wait, this thing wants my finger print?”),
and no other sane person is willing to use it by default. Even the
projects that attempt to use it as a dependency struggle.
These are deep structural problems. GPG isn’t the thing that’s
going to take us to ubiquitous end to end encryption, and if it
were, it’d be kind of a shame to finally get there with 1990’s
cryptography. If there’s any good news, it’s that GPG’s minimal
install base means we aren’t locked in to this madness, and can
start fresh with a different design philosophy. When we do, let’s
use GPG as a warning for our new experiments, and remember that
“innovation is saying ‘no’ to 1000 things.”
Any solution that isn’t easy to use and easy to understand is a poor solution. And GPG is neither.