--raw-sign, --raw-verify

Werner Koch wk at gnupg.org
Mon Apr 10 11:56:21 CEST 2006 

On Sun, 9 Apr 2006 19:14:52 -0400, Anthony Carrico said:

> 1. Add raw sign and verify to GnuPG.

No.

> 2. Maintain applications with parallel key and trust databases.

> To me, this seems extremely unkind to users, and implies duplicate
> code.

No feature crap please.  There are already too many features and we
try to limit them to OpenPGP relevant ones. This does not include use
of OpenPGp beyond the specification.


> I do NOT propose that GnuPG support or maintain non-OpenPGP protocols
> natively. I am trying to forge a secure, minimal path for third party
> applications to implement such protocols independently, while sharing
> a common OpenPGP key infrastructure with GnuPG.

If you want to connect the WoT with your signature scheme, you just
need to include the fingerprint of the certifying OpenPGP key into
your signature.

> I do propose that GnuPG allow access to standard signature algorithms
> (RSA, DSA) which are already maintained. Please note that there is

A long time ago we splitted libgcrypt out of GnupG and that is what
you should use.  Further, forthcoming versions of GnuPG won't come
with any crypto algorithm implementation but make use of Libgcrypt.

gpg 1.4 will stay as the easy to build OpenPGP implementation but aims
not as the Mozilla of crypto tools.

> My proposal is a pretty small task, and yet it opens the door to share
> GnuPG's key infrastructure with other protocols. Are you sure that it
> would only be useful to very few?

It is a matter of complexity and maintainability.  A dedicated
application is for sure better.  The actual signing operation in
xmldsig is a primitive task compared to all the challenges that
protocol has for developers.

> And finally, there is the possibility to just go ahead and use OpenPGP
> packet syntax in all applications. Hopefully it is obvious that this
> isn't always possible.

FWIW, There is a file system for Linux which just does this. 

Regarding xmldsig: Save your time and don't try it.  It will never
work reliable as it is far too complex and has been defined by people
obviously without any real experience in actual signing protocol
design and implementation.


Shalom-Salam,

   Werner

More information about the Gnupg-devel mailing list