OpenPGP library?

Matthew Byng-Maddick gnupg@lists.colondot.net
Wed Aug 29 15:32:01 2001


On Wed, Aug 29, 2001 at 02:45:01PM +0200, Werner Koch wrote:

> On 29 Aug 2001 11:46:33 -0000, Evil said:
> > Those are security policies. Deciding to not have a library is a
> > policy. Those policies may be wrong for some users. If you are
> And deciding not to write it in ADA is another one, probably a bad
> one. I am takling about gpg(1) *tool*
I don't want to argue with the rest of this message, however there are some obvious things standing out here, and before you say "well, submit a patch", I have, and it was very obviously ignored. There is an obvious issue that you can list the subpackets in a keyring, but there is no way of listing these in a sensible machine readable format, and being able to check the signatures that signed them at the same time. If you had the code as a library where you could get libgpg to parse the subpackets in a file, and then be able to do such things as check signatures on them too, this would be good. Since this functionality is not currently in GPG, and there appears to be no drive to get it in, and I suspect that a really OpenPGP compliant implementation should be able to give this kind of information out. It seems to me to be worse "security" to say to an end user: "You need to apply this patch to gnupg and rebuild it in order to use this software." I do appreciate that GnuPG goes to some lengths, to, for example, try and make sure that key material doesn't get written unencrypted to disk, but checking a signature, for example, doesn't need to have the private key, having this kind of functionality in a library would be *extremely* useful. I do hear what you're saying about doing the encryption, however, it is difficult enough to get right that perhaps just having anything be able to link into the library isn't useful. My 0.02, MBM -- Matthew Byng-Maddick <mbm@colondot.net> http://colondot.net/