As for how it improves security, I'm going to hazard a guess that many of the people sending zikduruqe those messages hadn't previously set up a PGP key. So by asking for the public key and refusing to send them the credentials until he receives it, he's forcing them to set one up, which then makes it possible for them to do things like sign messages. Just making someone set up a keypair doesn't mean they'll use it correctly, but it's hard to argue against the idea that a company's security posture is improved when more people have PGP keys.
It’s so easy to use insecurely that I will argue that employees setting up PGP keys and then potentially trying to use them does weaken the company’s security posture.
I agree it is easy for people to shoot themselves in the foot with many historcal PGP tools, which is exactly why we made keyfork.
It generates modern ECC PGP keychains with best practices in one shot, with multiple reasonably secure user friendly paper or smartcard, backup solutions.
You will really know what you are doing to force keyfork to generate an unsafe keychain. Especially if you use it on AirgapOS, which ships with it.
Care to elaborate on this? How come using PGP insecurely is somehow more insecure than not using it at all? And what do you exactly mean by using it insecurely? Care to give me an example of this insecure use of PGP?
