HOWTO on interfacing with gnupg/pgp?
Marc Mutz
Marc.Mutz@uni-bielefeld.de
Tue Jun 19 09:32:01 2001
On Monday 18 June 2001 10:15, Werner Koch wrote:
> || On Sun, 17 Jun 2001 23:56:26 +0200
> || Marc Mutz <Marc.Mutz@uni-bielefeld.de> wrote:
>
> mm> Is it ready for production yet?
>
> Use it. It is probably better debugged than other tools invoking gpg
> and well, I amthe manin author of both and so I take care that both
> are working.
I'll have a look at gpgme's interfacing with gpg, but I am currently
more interested in design _principles_ than in details.
> mm> Will it be binary compatible within minor revision numbers?
>
> I don't undertstand this. The standard library conventions are of
> course honoured and I once stated that I see no reason to change an
> existing API.
It's just that the KDE team just had a bad experience with the OpenSSL
0.9.5->0.9.6{,a} transition, which broke BC, IIRC. One developer went
and started his own crypto lib because of that (no, I'm not advocating
that. In fact, I'm extremely opposed to that idea and hope that it will
never be adopted. The world doesn't need yet another crypto lib).
> mm> Does it support PGP?
>
> Of course not! The GNU project[1] does not support proprietary
> software or advocates its use.
<snip>
> Why do you want to use PGP? Aren't you still not upset enough about
> their policies and deliberately introduced incomptibilities? Tssss.
<snip>
We happen to support PGP up to v6.x. If we were to start from scratch
_now_, we'd probably restrict ourselves to supporting gnupg via gpgme.
I certainly don't want to write _new_ interface classes for these
programs, but we should keep the possibility to interface with old pgp
implementations.
In the light of the critical passphrase handling issues in KMail's
pgp/gpg interface, I just wanted to extend my auditing of the
(passphrase storing) high-level class to the low-level interface
classes. In this framework I'm currently working. Thus cometh my
question on how to best interface with _this kind of_ programs
securely. And probably a little bit on how to best handle passphrases
in the frontend.
So switching to gpgme isn't an option ATM, since we are in feature
freeze for the upcoming KDE 2.2beta and final releases.
Marc
--
Marc Mutz <Marc@Mutz.com>
http://marc.mutz.com/
http://www.mathematik.uni-bielefeld.de/~mmutz/
http://EncryptionHOWTO.sourceforge.net/