I have heard a few people complain that GMail doesn’t support GPG. Perhaps those people haven’t thought about that issue for very long. I believe that GMail is an excellent way to deal with your e-mail. However, I also firmly believe that GMail will never offer PGP/GPG support. I mentioned this in a previous post, but I wanted to expand on it here.
First of all, there’s the technical reasons. You can’t have your webmail encrypt/decrypt your mail for you if it doesn’t have the keys, and storing your private keys on the GMail servers and then typing in your passphrase when sending mail is hardly a way to guarantee privacy. It’s not even “pretty good” privacy.
One great thing about webmail is that you can access it very easily from any computer. While having the webmail system store your keys is OK as long as it’s *your* webmail system (running on a server you own and control), typing in your passphrase at a random web kiosk to send an encrypted mail is probably not a good idea. If you’re paranoid enough to use GPG to encrypt your mail, you certainly wouldn’t use an untrusted machine to do so.
Secondly, encrypted mail goes against the GMail business plan. If you recall, GMail reads your mail and presents ads with matching content. If your mail was encrypted, GMail wouldn’t be able to do that. End of story. Thus GMail will *never* support encryption.
Thirdly, the biggest feature of GMail (the searching) would be nullified if your e-mails are encrypted. How is it supposed to search through your mails if it can’t read them?
“But,” you might object, “it would be nice to be able to just sign my mails, not necessarily encrypt them.” The technical objections still stand. The signatures work in a similar way to encryption, and GMail would need your key and passphrase to sign things. The other objection is that the purpose of the signature is to verify that the e-mail indeed came from you. If your key is already stored on the GMail server, then someone who gains access to your GMail account (say, using a key logger to get your password) can get your passphrase in the same exact way. This, to me, means that in this case the GPG signature is hardly worth more than the fact that the mail was sent from your GMail account (which can be verified through the mail headers).