Somebody needs to do a best practices for pseudoanon OpenPGP like being careful not to upload your key to a keyserver in the clear, unmasking yourself. Not using any identifying info while generating. As an example look at political or blackhat forums sometime and just examine the public keys posted: hotmail addresses and traceable user nyms. Also avoiding anybody who sends you a BCPG bouncy castle key or OpenPGP.js in the version header, because they are probably using some ridiculously insecure browser encryption addon.
And submit your key to Phuctor: http://nosuchlabs.com/
It's so damn easy to shoot yourself in the foot.
Do this but but don't do that oh and make sure about that, and this, and that....
Is there a way to have your master identity key offline and delegate even certifications (signing other people's keys) to a subkey?
To be honest, signing other people's keys is one of the _more_ frequent activities I do with PGP, and I'd rather be able to independently revoke that key without tossing my identity.
So one thing I don't get about PGP keys: If they are such a great solution, why isn't PGP built into Linux as a core service? I'm not talking about simply having it available as one of the standard packages. Instead I'm talking about making it standard in tons of normal interactions. For example, the setup process for any new machine should require the creation of a PGP key specific to that machine. By adding this step, ever other application or service on the machine can go ahead and assume the existence of a private/public keypair specific to that machine. This opens up the opportunity for people to create applications that use public key exchange with the outside world as a given and therefore a reasonable default before passwords.
I would love it if the .ssh folder was also protected by default so that I would know if any application every accessed it, I would be notified. I know they are supposed to have permission 600 and normally won't be trusted if they don't. Because of this, I've always thought it odd that they aren't created with the correct permissions by default, instead of requiring you to explicitly change it. I've also always thought it odd the .ssh folder and files just as the .netrc file are not encrypted secure files by default that always require a password to access or at least require a password to access at least once every 5 minutes or so (like is sometimes required when running another sudo command past a certain threshold.
If one of the Linux distros never take the lead here, it would be sweet if OS X were one of the first ones to lead the way on legitimizing public/private key generation and exchange by making it much easier, but still secure.