@alison, it felt weird that you would be relatively negative about Thunderbird and GPG, but then assign us to experiment with these technologies. That’s the context for the thoughts below.
Though Mozilla no longer pays for Thunderbird to be developed, Mozilla Foundation owns the project and it is actively developed. It probably has a lot more contributors than most open source projects. Think of the Heartbleed SSL vulnerability. SSL was being maintained by one person. A lot more folks contribute to Thunderbird. One of our possible assignments this week was make a Riseup email account. Riseup’s documentation mentions Thunderbird. A number of possible assignments are about experimenting with GPG. FSF’s GPG tutorial recommends Thunderbird. @alison implied that she uses Thunderbird. I use Thunderbird everyday. Point being Thunderbird is okay. When you do first set it up all the options can be intimidating but typically it just works. If your threat model is serious–get serious about the settings. If you wanted to experiment with a different client you could try Claws or Sylpheed. I have a hunch that experimenting with Claws or Sylpheed will make anyone appreciate the robustness of Thunderbird. If your on GNU/Linux, there’s Evolution which is actively maintained and very much equivalent to Thunderbird. Claws, Sylpheed, Evolution, and Thunderbird all have GPG integration.
Once set up in a client like Thunderbird, I’ve found GPG is easy to use. Not that getting there is super easy if you don’t already have a working knowledge of computers/email but the documentation is not esoteric. Doing it at least once can help illuminate how encryption works. I agree that was not created for everyday users and this is problematic. The public display of contacts is very problematic. Is this not doxing by design? I only talk about GPG during long privacy trainings. With the caveat that I may have done poor job explaining it, no attendee has every taken me up on the offer to exchange a GPG encrypted email (my fingerprint is D2FB 800F CDF1 6A3F E63B 6498 C953 2D42 8A9B 3AEF). Though I use Thunderbird everyday, I have only exchanged GPG encrypted emails with two people: @alison and my partner. @alison said Tor Project uses GPG for financial docs. So it works, it is just sub-optimal.
I concur there are some aspects (or pockets) to the culture that GPG emerged from that are toxic: elitism disguised as meritocracy, a ‘hack or be hacked’ mentality that ignores the rights of others, and (sometimes) misogyny. Though I have benefited from privileges society unjustly affords me, I too find/found those aspects of that culture intimidating and gross.
I’ll plead the fifth as to having any orphan keys floating around out there.