Oh, one item that I forgot to include in my list:
Encrypted private key packets are superfluous, IMO. Internally, it can be up
to the implementation how it secures private keys (as it varies from
situation to situation what the requirements and environmental assumptions
are), while for interoperability, it's perfectly secure to export
unencrypted private key packets (and the auxiliary stuff) within an
MDC-protected encrypted data packet, with some ESK in front of it.
This way, designers and implementers would only need to worry only about the
security of one MDC-protected encrypted data packet format, instead of two,
slightly different ones.
The only capability that would be lost is exporting and importing private
keys without knowing the corresponding passphrases, but I can't imagine
legitimate uses for that anyway, while such an action may well be part of
some more sophisticated active attack.
--
Daniel