PGP doesn't need to be user-friendly just to verify signatures. It's like verifying your Linux distro's package system: all of them sign their packages (usually with PGP) and they get verified on installation, but as an end-user I never see it.
And yes, PGP is hard, but only if I want to add signatures to my emails, or use it for encryption. But that's a different use case than what I wrote about here. I think this is exactly the sort of confusion I intended with:
> Confusion between every-day “random person A emails random person B”-usage versus “large company with millions of users sends thousands of emails daily”-usage.
>But that's a different use case than what I wrote about here.
I find it amusing that the problem in the HN threads isn't that they know too little, it's that they know too much. They've seen arguments against PGP for years, and are having trouble processing the post in any way that is different from the "usual" PGP use cases they've seen. I'm seeing comments arguing that the user can't understand concepts of web of trust, or will get fooled by Paypals.com's signature, etc.
And yes, PGP is hard, but only if I want to add signatures to my emails, or use it for encryption. But that's a different use case than what I wrote about here. I think this is exactly the sort of confusion I intended with:
> Confusion between every-day “random person A emails random person B”-usage versus “large company with millions of users sends thousands of emails daily”-usage.