I'm not talking about deploying/using PGP to be secure from gov't (or Gmail) monitoring. I'm talking its use in the context of 99% of normal interactions online. Yes, we wouldn't have tinfoil-hat-level security if it was managed by Gmail, Yahoo, etc. But we'd be lightyears further ahead in our ability to interact securely with others online.
I don't think having to sign into other websites is that much of a bother, nor that people are that motivated to talk to their bank or physician on a regular basis that would drive adoption of this sort of thing.
And in return you have to stick all your eggs in one basket, get what would probably end up being a single persistent online identity that goes under your real name (if it's tied to an email address you use for business stuff), and that's owned by a company and may not even be willing to give them back to you (would you even own the private keys if it was being implemented on the server?)
There's really an amazing lack of imagination here, both from a threat avoidance perspective and a potential awesomeness one.
The deployment model is this: one large webmail provider starts doing PGP by default via its webclient. Maybe it provides your with private keys, maybe it doesn't. Fact is that it doesn't much matter, because as soon as a large webmail provider starts doing PGP/PKI, the two biggest problems with adoption (namely, that there's no one to use it with, and it's kind of a pain to use anyhow) are basically solved. And as soon as this happens, there starts being a competitive market where providers can begin improving on each other's implementations. Any provider that doesn't give users their private keys won't have much of an ethical argument for doing so, and so it probably would, anyway. There will, as always happens, be a feature war, except with PGP involved some of that war will involve privacy/encryption/reliability concerns.
