There isn't a lot to unpack in this article. Most is set-up; explaining how connected he is to a community that is enthusiastic about PGP yet doesn't apply secure operations in practice.
Then there is the main complaint:
> I haven't done a formal study, but I'm almost positive that everyone that used PGP to contact me has or would have done (if asked) one of the following:
> - pulled the best-looking key from a keyserver, most likely not even over TLS
> - used a different key if replied with "this is my new key"
> - resent the email unencrypted if provided an excuse like "I'm traveling"
I haven't done a formal study either, but no one I know that uses PGP would do any of these things under any circumstances. PGP works fine for myself and the group of people I know that use it, because we adhere to security protocols that are just as important -- if not more -- than using PGP itself.
That is definitely not my main complaint, and I suspect it might have caught your eye because it's the one that wouldn't apply to you (which is absolutely possible).
The article is about the flaws of long-term identity keys, and it would stand even if there weren't UX, adoption, or security protocols adherence issues.
You're right, long-term identity keys are bad. Long-term identity keys are not a concept mandated by PGP, they are a result of how people use PGP or how PGP is implemented in a third party app.
No part of PGP requires you to use a key more than once. This phenomenon is a result of a consensus of people deciding on a terrible operations strategy over a long period of time.
I don't understand what the point of your blog post is, in this case. You understand why PGP is needed and how it's important, how to use it correctly, etc, yet you "give up" on it because no one you know uses it correctly.
Is that it?
By the way, how are you going to send someone a 5GB file securely using Signal?
Then there is the main complaint:
> I haven't done a formal study, but I'm almost positive that everyone that used PGP to contact me has or would have done (if asked) one of the following:
> - pulled the best-looking key from a keyserver, most likely not even over TLS
> - used a different key if replied with "this is my new key"
> - resent the email unencrypted if provided an excuse like "I'm traveling"
I haven't done a formal study either, but no one I know that uses PGP would do any of these things under any circumstances. PGP works fine for myself and the group of people I know that use it, because we adhere to security protocols that are just as important -- if not more -- than using PGP itself.