[Sent from my iPad, as it is not a secured device there are no cryptographic keys on this device, meaning this message is sent without an OpenPGP signature. In general you should *not* rely on any information sent over such an unsecure channel, if you find any information controversial or un-expected send a response and request a signed confirmation]
> On 28 Dec 2015, at 15:58, James Le Cuirot <ch...@gentoo.org> wrote: > > On Mon, 28 Dec 2015 09:42:40 -0500 > Rich Freeman <ri...@gentoo.org> wrote: >> .. >> And this would be why I don't bother to sign my emails any longer. >> The FOSS world is still stuck in the days when people ran X11-based >> MUAs and stored their mail in conventional folders. I've yet to see a >> decent browser-based MUA or Android client which does signing. >> Squirrelmail does, but it is really lacking compared to something like >> Gmail. > > I haven't tried the feature myself but K9 Mail, which is highly > regarded, does it via APG on Android. iirc k9 doesnt support PGP/MIME (RFC3156), but some interesting things happening with OpenKeychain (https://www.openkeychain.org/k-9/ ) in that regard. We actually discussed it a bit during last OpenPGP summit in zurich. The main issue is key storage, though. For signatures you can use a dedicated signing subkey, however you get in problem with encrypted emails as mobile devices are not really secure devices and should never have cryptographic material. What could work in this case is a NFC (or for that matter bluetooth, although it needs to be properly paired etc etc) channel with a separate device with a separate keychain and display so you can verify the request, and never actually expose private key material to the cellphone. In the mean time I just include the notice whenever I don't sign, at least some people notice it and gives it another thought.
