> Anything involving GPG, no matter how easy you make it, will require some knowledge of those concepts.
I don't think that's necessary. It would be sufficient to simply abandon the idea that keys must be relatively permanent and are useless without establishing out-of-band trust first.
Take WhatsApp for example. The client autogenerates the key, and then contacts are Trusted On First Use (TOFU). Rekeys aren't even notified to the user by default. Having users verify key fingerprints before they can even use the software was considered too difficult. So perfect security is compromised, but instead we get something that works, and can upgrade security if the user takes those additional steps.
The equivalent for GPG would involve an automatic request that a different party create a keypair and send back the public key, such that an encrypted message can then be sent. TOFU. Key management could then be automatic, and fingerprints still verifiable if users want to do that manually later.
I don't think that's necessary. It would be sufficient to simply abandon the idea that keys must be relatively permanent and are useless without establishing out-of-band trust first.
Take WhatsApp for example. The client autogenerates the key, and then contacts are Trusted On First Use (TOFU). Rekeys aren't even notified to the user by default. Having users verify key fingerprints before they can even use the software was considered too difficult. So perfect security is compromised, but instead we get something that works, and can upgrade security if the user takes those additional steps.
The equivalent for GPG would involve an automatic request that a different party create a keypair and send back the public key, such that an encrypted message can then be sent. TOFU. Key management could then be automatic, and fingerprints still verifiable if users want to do that manually later.