> But PGP-over-SMTP would still leak important metadata, and you would still have problems with forward secrecy and key revocation.
I don't think a well-integrated PGP-over-SMTP client would leak any more metadata than the likes of Signal does? Build in a good subkey rotation config and you'd solve most of the forward secrecy issues, and good defaults for how to treat revocation (including better expiry defaults) would resolve that issue. No?
You would still leak unencrypted headers, which in SMTP are numerous and interesting. A client could minimize the useful content of the message headers, but you're always going to have at least the envelope headers available to every intermediate mail host.
I do not know enough to be sure about your point about forward secrecy. You may be right.
”But that's the case with Signal et al as well isn’t it?”
No.
”Because your phone will be connecting to Signal’s servers, your cellular carrier can determine whether or not you are using the service. However, your carrier cannot gather any information about the individuals or groups with whom you are communicating.”
I don't think a well-integrated PGP-over-SMTP client would leak any more metadata than the likes of Signal does? Build in a good subkey rotation config and you'd solve most of the forward secrecy issues, and good defaults for how to treat revocation (including better expiry defaults) would resolve that issue. No?