It still requires users to understand that they have a public and a private key, and just one of them, and a "key ring" to which they add their counterparties public keys, and that those keys themselves have to be authenticated and "signed" if the system is to be secure.

For me at least, this isn't the pain point. Granted, I'm an engineer, but all I've got for data is my own mind, so here's my anecdotal evidence.

The concept of keypairs doesn't seem hard to me. And I think that can be abstracted away a bit anyway. You just need to know that there's this super-secret file (the private key) that you should never leak to anyone, and you need to sync it to your devices. So far, not so bad. As for the public key, I think the software can mostly just handle that for you. I.e. it can take care of uploading it to keyservers.

Signatures might be harder for people to understand. But here still, a good UI could help to abstract that away a bit. Imagine I can just click "get my key signed," enter an email address, and that's it on my end. No more steps for me to take. On my friend's side, it's just an email that comes in, probably with a link using the application's special protocol. My friend clicks the link, her PGP UI boots, and a yes/no pops up. Done.

So I don't think that understanding the mental model is the bottleneck right now. Rather, I think it's that the software and the accompanying documentation are not optimized for getting a naive user off the ground as fast as possible (without compromising security).

You can improve the written documentation with diagrams or produce a graphic novel for the reading impaired.

I've been using Enigmail for about a decade, and PGP longer than that, and I still think it's a pain in the ass. Whenever I'm configuring a new mail client, I have to fiddle with multiple settings just to get it to send encrypted mail.

There's a real opportunity to build something much, much simpler on top of PGP. All you really have to do is pick some sensible defaults and automate a few steps. Look at how many nerds can't be bothered with encrypted communication, let alone normal people.

Making GPG and programs that use it easier to use would be nice. But the primary issue is that many people that should be able to comprehend PKI basics and necessary background material to use it, are too "busy" or "lazy" to spend the limited time to even scratch the surface.

I face this daily, since I'm the go-to guy at my office for scripting/coding solutions for these folks. They just want it to work without having to learn or understand their decisions. And these are the same people that will spend hours figuring out complex lunch accounting issues or read volumes on video game strategies or rebuild engines.

I mostly agree, except there are some perils involved.

Bob has to make sure that the public key he thinks is Ann's really truly is Ann's, and not Eve's.

That would be a hard problem to solve.

You can do all that stuff, but it's the fact that you have to understand these concepts to use PGP that makes it difficult, not the way they're documented.

If you don't understand key management and public/private keys, signing, etc., you either have to depend on someone that does, or cargo-cult your way through using it. And it's not difficult given a little "want to". Alton Brown could teach the concepts in a single show.

I understand this stuff, and I believe I can teach it to my friends. But I don't believe I can convince my friends to put up with the software that is currently available. That is the entire reason I can't find anyone to use PGP with.