OpenPGP library?

[Matthew Byng-Maddick]

On Wed, Aug 29, 2001 at 02:45:01PM +0200, Werner Koch wrote:
> On 29 Aug 2001 11:46:33 -0000, Evil  said:
> > Those are security policies.  Deciding to not have a library is a
> > policy.  Those policies may be wrong for some users.  If you are
> And deciding not to write it in ADA is another one, probably a bad
> one.  I am takling about gpg(1) *tool*

I don't want to argue with the rest of this message, however there are some
obvious things standing out here, and before you say "well, submit a patch",
I have, and it was very obviously ignored.

There is an obvious issue that you can list the subpackets in a keyring,
but there is no way of listing these in a sensible machine readable format,
and being able to check the signatures that signed them at the same time.
If you had the code as a library where you could get libgpg to parse the
subpackets in a file, and then be able to do such things as check
signatures on them too, this would be good. Since this functionality is
not currently in GPG, and there appears to be no drive to get it in, and
I suspect that a really OpenPGP compliant implementation should be able
to give this kind of information out.

It seems to me to be worse "security" to say to an end user:
"You need to apply this patch to gnupg and rebuild it in order to use this
 software."

I do appreciate that GnuPG goes to some lengths, to, for example, try and
make sure that key material doesn't get written unencrypted to disk, but
checking a signature, for example, doesn't need to have the private key,
having this kind of functionality in a library would be *extremely* useful.
I do hear what you're saying about doing the encryption, however, it is
difficult enough to get right that perhaps just having anything be able to
link into the library isn't useful.

My 0.02,

MBM

-- 
Matthew Byng-Maddick         <mbm@colondot.net>           http://colondot.net/