PGP/MIME considered harmful for mobile

[Robert J. Hansen]

On 2/27/11 2:37 PM, Martin Gollowitzer wrote:
> I sign *all* my e-mail except for messages sent from my mobile (in that
> case, my signature tells the receiver why the message is not signed and
> offers the receiver to request a signed proof of authenticity later) or
> messages to people who can't receive signed messages (I had a case where
> e-mails arrived empty because of the MS Exchange/Antivirus/whatever
> combination at the receivers working place).

You may want to reconsider this practice.

Signatures have value if they are correct, originating from a validated
key, belonging to a trusted individual.  If any of those are absent the
signature is more or less just line noise.  You cannot make any logical
inferences from a signature that is bad, that comes from a non-validated
key, or an untrusted individual.

The overwhelming majority of signatures I've seen have been somewhere
between irrelevant and useless.  People tend to fetishize them something
fierce.

>> 2.  And seeing strange MIME attachments doesn't confuse people?
> 
> Less than strange text fragments at the head and the bottom of a message
> (Some people even think they are being spammed when they see inline PGP
> data), because an attachment without useful data will rather be ignored.

Show me the HCI study, please.  This may be a true claim, but I'm not
willing to accept it as such on the basis of one person's anecdotal
experiences.