From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C20041384B4 for ; Mon, 28 Dec 2015 15:07:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 58D0221C01A; Mon, 28 Dec 2015 15:07:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7872F21C003 for ; Mon, 28 Dec 2015 15:07:40 +0000 (UTC) Received: from [151.217.220.251] (unknown [151.217.220.251]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: k_f) by smtp.gentoo.org (Postfix) with ESMTPSA id 75145340564 for ; Mon, 28 Dec 2015 15:07:39 +0000 (UTC) From: Kristian Fiskerstrand Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 (1.0) Subject: Re: [gentoo-dev] [RFC] New project: Crypto Message-Id: <9AB9A178-B4A1-4493-A3A4-0B3A855E603F@gentoo.org> Date: Mon, 28 Dec 2015 16:07:33 +0100 References: <5655EBF0.9000804@gentoo.org> <56560A11.8030700@gentoo.org> <56561851.2020900@gentoo.org> <20151228014934.e94250f4670cde139dbc7867@gentoo.org> <21A8380F-6010-4CDD-8DEF-02FA11217D21@gentoo.org> <20151228145813.40343a43@symphony.aura-online.co.uk> In-Reply-To: <20151228145813.40343a43@symphony.aura-online.co.uk> To: "gentoo-dev@lists.gentoo.org" X-Mailer: iPad Mail (12F69) X-Archives-Salt: 2c615f6c-11ac-421b-8629-6dd917320380 X-Archives-Hash: e652d2c71a631241b79885a35bfe1889 [Sent from my iPad, as it is not a secured device there are no cryptographic= keys on this device, meaning this message is sent without an OpenPGP signat= ure. In general you should *not* rely on any information sent over such an u= nsecure channel, if you find any information controversial or un-expected se= nd a response and request a signed confirmation] > On 28 Dec 2015, at 15:58, James Le Cuirot wrote: >=20 > On Mon, 28 Dec 2015 09:42:40 -0500 > Rich Freeman wrote: >>=20 .. >> And this would be why I don't bother to sign my emails any longer. >> The FOSS world is still stuck in the days when people ran X11-based >> MUAs and stored their mail in conventional folders. I've yet to see a >> decent browser-based MUA or Android client which does signing. >> Squirrelmail does, but it is really lacking compared to something like >> Gmail. >=20 > I haven't tried the feature myself but K9 Mail, which is highly > regarded, does it via APG on Android. iirc k9 doesnt support PGP/MIME (RFC3156), but some interesting things happe= ning with OpenKeychain (https://www.openkeychain.org/k-9/ ) in that regard. W= e actually discussed it a bit during last OpenPGP summit in zurich.=20 The main issue is key storage, though. For signatures you can use a dedicate= d signing subkey, however you get in problem with encrypted emails as mobile= devices are not really secure devices and should never have cryptographic m= aterial. What could work in this case is a NFC (or for that matter bluetooth= , although it needs to be properly paired etc etc) channel with a separate d= evice with a separate keychain and display so you can verify the request, an= d never actually expose private key material to the cellphone. In the mean time I just include the notice whenever I don't sign, at least s= ome people notice it and gives it another thought.=