This has been my experience. The only "good" experience I've had with encrypted messages through email was a back and forth exchange I had with a fellow Keybase user where I manually copy and pasted blocks of encrypted text into/out of their web interface.
From my experience - the only PGP users I've spoken to were all on Keybase or interested in a Keybase invite. It was about 6 people for the entirety of last year - and 3 people this year...it certainly has a problem of "almost nobody uses it" but Keybase seems to have eased things slightly - or at least made it easier to discover people who also use PGP.
I see the two problems being "People don't bother with the clunkiness of using PGP when sending an email about what to pick up from the store" and "most users have no reason to talk to most other users".
I'm considering making it a point to message people with interesting Keybase avatars or social profiles tied to their Keybase if only to have an excuse to use PGP more, as silly as that might sound.
I have a keybase account and don't really use it. I like the idea, but part of the issue for me is attaching my "real name" to various online identities. I've used different types of pseudonyms over the years and do to poor opsec, some of them could be linked to me using the pseudonyms I use now. It's nothing illegal, but also nothing I'd like others to know about. So to attach my real name to keybase, I'd have to reestablish my identity in various places. Doing that, of course, removes some of the trust associated with the keybase model.
Additionally, and I realize this is tangential to this discussion, I use pseudonyms to somewhat reduce my privacy "surface", so to speak. If I take my twitter, HN, reddit, etc, etc. and say "this is me", you could build a pretty decent profile of who I am (politics, hobbies, profession, where I live and so on). That's a different privacy problem than keybase is trying to solve, so no criticism is intended, but it is a problem for me.
I believe one of the creators had said it is okay to have multiple accounts to keep identities separate or even to have an account for each identity. It does make it far less user friendly to need multiple accounts and multiple keys though and introduces a larger chance of making mistakes. Especially if it isn't that important to you (and it doesn't need to be!)
I use KB as an easy way for people to verify my signed messages - not necessarily for sending encrypted messages to other users. Mostly just a "This is me, you can verify it is me at Keybase easily - as long as you trust Keybase."
Doing that means users don't need to install PGP and know how to use it to verify that I am me. It isn't important now - or hopefully ever. By making a practice of it, my users expect it. if I am ever compromised, the malicious actor won't succeed in fooling my users as I expect at least a few will try and verify the message and will see it doesn't verify.
For myself, it's about being a solution for a "what if?" scenario than anything practical or even privacy-related. It's just the best psuedonymous way of proving identity within some level of reasonable doubt that I know of.
Keybase has clearly moved away from PGP. They want to use Saltpack whenever possible, NaCl based encryption. They want to solve the problem of multiple devices and not having to share the private key between all of them.
As far as I know they are working on a messaging app as well.
I admit my ignorance of saltpack and keybase's implementation of it, but don't they propose storing the key for you? That seems to create a trust issue, which is precisely what the author is complaining people don't pay attention to, trust.
On the other hand, perhaps the argument for this would be a "trusted 3rd party" model (a la S/MIME).
That's an interesting solution. Rather than having keybase keep your key, your devices are communicating directly to validate each other? I'm going to have to review this in more detail, thanks.
I don't think they are working on other problems, rather they realised that GPG has limitations and they can not solve it with PGP. The problem they are working on, is the same problem they started with.
