A correction: I wrote:
If we introduce these non-transferable signatures (good name btw) then
there is more possibility for confusion. It's completely different from
a regular signature; for one thing, Alice doesn't even have to type her
passphrase, because her signature key is not used when she creates this
kind of "signature"! Imagine the paranoia that would trigger on the PGP
user lists. In general it's going to increase the explanatory burden
for people who want to understand what the software is doing.
Sorry, I was confused when I wrote this. Of course, Alice does have
to use her passphrase and private key, as she signs the encrypted key
block. But I still think that the unique security properties of this
kind of signature would have to be explained, so that people can make
knowledgeable judgements about the security they are getting.
Hal