Blame Google for not implementing it in Gmail -- Then they wouldn't be able to get ad revenue and user metrics from their "free" email service.
Someone doesn't understand how gmail works. I have used PGP with gmail, works fine. Oh, you mean you want Google to be able to read your email and display it on a web page ... while at the same time not be able to read your email ... okay then .....
Blame MS for not integrating it into Outlook, but why would we expect MS to actually want security in any of their products?
Because its a crap system to make user friendly. You can, of course, buy a plugin that does it just fine.
Blame Mozilla for the creaky plugin and cumbersome import/export publish keys interface in Thunderbird, and support for SMIME over GPG by default.
No, blame PGP for this, this is a PGP problem, not a plugin problem. The PGP philosophy is what makes this a problem, and its the same reason you're unaware of the fact that Outlook plugins exist. The entire PGP system is difficult to use on purpose, thats why it sucks.
Blame the users mostly for not giving a fuck about encryption.
No, I won't. Most users have no reason to care about encryption, most messages simply aren't that important, which is why the post office does its job just fine without encryption. Just because you think everything needs to be encrypted doesn't magically make it true. Are you a doctor? No? Do you blame yourself for failing to do medical procedures that aren't entirely automated because thats what you're saying here.
I can tell you this much: Fuck publishing ANY open source software without signed and verified GPG signatures.
Right, because then when you go verify the key by looking at a key thumbprint on an HTTP server ... you know the thumbprint hasn't been tampered with ... right ... oh wait ... you don't. Key distribution with PGP is a joke because you have ABSOLUTELY NO WAY to verify keys unless you are trading them physically with people directly. The instant you exchange your PGP thumbprint by looking at some website thats not encrypted or authenticated, you've already fucked up, you're just too ignorant of whats going on to realize it
Lets assume the website uses HTTPS ... in which case, your trust depends on a CA ... which means ... it can not possibly be any safer than S/MIME certs from that CA ... and is likely less secure because you've introduced a whole new chain of places for mistakes to be made.
PGP is intentionally broken by design.
And GPG is just a horrible implementation/bad copy of old PGP so lets not pretend like we're not talking about PGP here just because you're probably not been alive long enough to know what PGP is and that GNU did not create the universe.
Grow up, get a clue, your attitude is exactly what PGP sucks ass.