Re: The more, the merrier?
it needs to be baked into the mail protocols
It has been, for 39 years. PEM in RFC 989.
And then again in 1991 with PGP (RFC 1991, though that only specified message formats), and in 1998 with S/MIME v2 (RFC 2311; S/MIME v1 was not standardized).
and software as a default
Well, yeah. MUA and MTA authors couldn't be bothered, or picked the wrong horse.
PEM was probably too early. There wasn't a widespread appreciation of the need for improving email security, the US was still laboring under excessive cryptography export controls, and sharing code (particularly important for crypto, given the difficulty of getting it right) was impeded by less-widespread access to the Internet.
PGP was generally perceived as a single implementation, not an interoperable specification, until OpenPGP came along in 1998. But mostly, I think, the problem was that MUA authors in particular were much more concerned with adding flashier features that they thought would attract novice users, as well as avoiding those damned export controls again.
S/MIME wasn't clearly superior to PGP (and still isn't). It looked mostly like a way for RSADSI to push PKCS#7. Microsoft climbed on board (Outlook still supports S/MIME natively but not PGP), because of course they did, but to PGP fans S/MIME looked like god-not-more-crap-thrown-on-top-of-poor-email. And corporations generally just went with SMTP+POP/IMAP or a proprietary protocol like Exchange, running through VPN tunnels, for confidentiality, and didn't worry about authentication and other features of cryptographically-secured email.
Biting the hand that feeds IT
