One of the things I've noticed about PGP is that it makes it pretty obvious that you're sending an encrypted message. [...] Sending encrypted messages may call unwelcome attention to yourself.
First, let me get on record as saying that Hal's "innocent mode" is a good idea that should be implemented. But it's not really a good long-term solution from a social point of view. Encrypted traffic should become the norm, not the exception. Flagging that you're sending encrypted traffic should be encouraged. When questioned about this, people should respond in shocked tones "What do mean? Aren't you encrypting _your_ email?" and then proceed to suppress gentle laughter at them when they say no. When it's cool to encrypt, only the uncool will be plain. So, then, more peer pressure! Consider someone asking you about your encrypted mail to be an opportunity to start a conversation about their position on personal privacy. When your sysadmin asks why your mail can't be read, tell him you are defending your privacy and ask if there is any problem with that. Then, when the sysadmin puts in a filter for PGP traffic, use innocent mode.
Another thing that I think is kind of bad about PGP in the context of avoiding traffic analysis is that it puts the key ID of the destination person in the header.
Absolutely. Ditto for signatures. Both should be able to be selectively removed. In any case, it should be possible to have nothing appear on the outer envelope. Another feature for PGP would be automatic message padding. To properly do a mix you need to quantize the message lengths. If PGP were to automatically pad with random data, it would save a lot of integration work for the mix. PGP already has a random number generator, after all. Eric