C/C++ API for GnuPG

Jason Harris jharris@widomaker.com
Sat Apr 19 23:01:02 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Apr 18, 2003 at 07:33:27PM -0700, Joseph Bruni wrote:

> I'm not a GPG-specific programmer, but I'd like to weigh in on this=20
> since I am a Unix programmer. Please indulge me if I'm off base here.


> I like the idea of GPG running in its own protected, non-swapable=20
> address space with a strictly well-defined communication interface=20
> provided by the anonymous pipe of stdin and stdout, environment=20
> variables, and command-line arguments. If I were a library programmer,=20

(It _sounds_ all warm and fuzzy...)

> (especially a security library), I would want to make sure that nothing=
> could accidentally step on the code that I've spent a lot of time=20
> making robust. A GPG co-process lives in its own protected address=20
> space which (if set up properly) cannot be paged because it is=20
> setuid-root on many systems. As an application programmer, I would not=20
> want some library creating weakness in my application either.

The library knows which page(s) to lock and should request that whether
it runs inside GPG or another app.

> A linkable library, on the other hand, would be completely at the mercy=
> of the library user (application programmer), just as the application=20
> is at the mercy of the library.
> In Unix, just as userland applications are "quarantined" from (and by)=20
> the kernel in order to provide security and stability, and are only=20
> able to communicate with the kernel through well-defined and checked=20
> APIs, so would the application and GPG be protected from each other by=20
> acting as co-processes in a client-server model which provides a great=20
> deal of robustness.

The application mentioned by the OP (at least on gnupg-devel) would
store secret keys in a db and send passphrases to GPG on a pipe.
If it isn't careful with these, it doesn't really matter if it isn't
careful with the raw private keys.  Also, the application will likely
know/produce any plaintext to be encrypted and/or need acess to any
decrypted messages.  That pretty much leaves the application holding
all the secrets.

Jason Harris          | NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris@widomaker.com | web:  http://jharris.cjb.net/

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (FreeBSD)