C/C++ API for GnuPG

Tony_Mione@peoplesoft.com Tony_Mione@peoplesoft.com
Thu Apr 17 21:03:26 2003


I have been looking for an OpenPGP based library for C/C++. I noticed
that GnuPG only generates executables (plus libraries for the
underlying crypto and other utility routines.) The FAQ says that this
project (of providing a full API) will not be taken on since there are
some concerns about openning possible security holes.

I have looked at Gpgme. I like it to some degree but I do not like the
fact that it forks another process and calls gpg at the command line. I am
trying to avoid that type of interface. I would use libgcrypt for my
project but it ONLY implements the crypto and I can really use the
packet processing features of the source code in g10.

So, what are the security holes that may be openned if this is made
into a library? Do people involved with Gpg believe that the same
holes [may] exist in the PGP SDK marketed by PGP, Inc. then NAI, and soon
PGP International?

In my mind, a programmatic API would be better than spawning processes
that may need to have a passphrase in the command line. Does this make
sense or am I missing something here?

Thanks for any help that people can give here.

Take care.

Antonino N. Mione           PeopleTools Security and Infrastructure
PeopleSoft, Inc., 4411 PeopleSoft Pkwy., Pleasanton, Ca. 94588
Antonino_Mione@peoplesoft.com                    +1-(925)-694-6118
got Crypto?