Second, many of my colleagues have asked me to remove their old keys from my
database, because they
have forgotten them, although the PGP repository has not.
FWIW, the public repository at pgp.com reverifies the keys from time
to time. Earlier this week I got a couple of messages saying that if
I still wanted them to publish keys corresponding to those addresses,
click through and reconfirm. (Yes, I realize how weak this is, but
in the circumstances it's better than nothing.)
Your overall point that the problem with crypto is that it's unusable
if you're not a hard core geek is of course correct.
Third, I note that when I receive a signed email that has gone through an IETF
alias, I can no longer
verify the signature as a result of content modification. What is the value of
a signature one cannot
verify?
With the advent of DMARC, this problem now affects a lot more people
than ones who are looking for PGP signatures.
R's,
John