The problem today are the cost of the infrastructure to support CAs (this may be a minor problem) and usability (I think this is the most difficult to address). I cannot imagine many of my FB friends using PGP (or GnuPG), public and private keys.
They wouldn't need to. In simple cases like facebook, they would use some CA signed certificate (which basically says that they are who they claim to be) to sign in to facebook via ssl/https (this could be easily automatized in browser).
Yes but then you need a certificate to store (your private key). If you are in the same computer it is not a problem, if you move to another one, then you need to take the certificate with you. I think the problem is not as easy if you want proper security mechanisms.
