Addressing the Moxie Marlinspike post - PGP being flexible and comprehensive is not the problem. The implementations/libraries (including GPG) being a fossil from last century are.
From my own experience I can say that the libraries are not well designed - they couple things together (like key management and decryption) and make some things hard to do even if they are conceptually simple (like checking a signature without first building a key-ring data structure with all keys from a file).
Progress comes from many experiments, going in all kinds of directions in UI design, infrastructure building etc. You need a comprehensive fundations to base on these experiments on.
>You need a comprehensive fundations to base on these experiments on.
The problem is that people build this huge, powerful libraries, but nobody seems to write the "limiting" libraries that take a subset of the powerful base library and create an easy to use experience from the user.
I suppose this largely stems from "implicit knowledge": People who can write cryptography apps likely know enough crypto that they can't themselves identify usability problems.
Libraries are more powerful if they are decoupled. For example I wanted to build a website that would let you check message signature against public keyservers. This sounds trivial - but unfortunately the libraries that I've reviewed don't provide a 'check_sig( message, public_key)' function - but only a 'key_ring.check_sig( message )' function. This complicated the matter a lot - because I would have to download the public key and save it into a temp file and then build a key_ring out of that file (with some other complications that I don't remember right now). Enough to discourage me.
Huge does not mean powerful when it is hard to mix and match (and limit) the functionality.
we're using and contributing to openpgp.js and so far this has worked pretty good for us, because it provides a sane API, properly documented, coherent code style, CI tested. here's a snippet for decryption and signature checking in Whiteout Mail: https://github.com/whiteout-io/mail-html5/blob/master/src/js...
1) libraries are often too complex for the avg dev: well, crypto is complex and there is rarely a one-size-fits-all solution. however, there are high level APIs that address your issues in openpgp.js (https://github.com/openpgpjs/openpgpjs). problem is that a lot of people try to roll their own crypto if the library does not offer those high level #box() and #unbox() functions. and THAT is a real problem down the road.
From my own experience I can say that the libraries are not well designed - they couple things together (like key management and decryption) and make some things hard to do even if they are conceptually simple (like checking a signature without first building a key-ring data structure with all keys from a file).
Progress comes from many experiments, going in all kinds of directions in UI design, infrastructure building etc. You need a comprehensive fundations to base on these experiments on.