C/C++ API for GnuPG
Sat Apr 19 23:01:02 2003
Content-Type: text/plain; charset=us-ascii
On Fri, Apr 18, 2003 at 07:33:27PM -0700, Joseph Bruni wrote:
> I'm not a GPG-specific programmer, but I'd like to weigh in on this=20
> since I am a Unix programmer. Please indulge me if I'm off base here.
> I like the idea of GPG running in its own protected, non-swapable=20
> address space with a strictly well-defined communication interface=20
> provided by the anonymous pipe of stdin and stdout, environment=20
> variables, and command-line arguments. If I were a library programmer,=20
(It _sounds_ all warm and fuzzy...)
> (especially a security library), I would want to make sure that nothing=
> could accidentally step on the code that I've spent a lot of time=20
> making robust. A GPG co-process lives in its own protected address=20
> space which (if set up properly) cannot be paged because it is=20
> setuid-root on many systems. As an application programmer, I would not=20
> want some library creating weakness in my application either.
The library knows which page(s) to lock and should request that whether
it runs inside GPG or another app.
> A linkable library, on the other hand, would be completely at the mercy=
> of the library user (application programmer), just as the application=20
> is at the mercy of the library.
> In Unix, just as userland applications are "quarantined" from (and by)=20
> the kernel in order to provide security and stability, and are only=20
> able to communicate with the kernel through well-defined and checked=20
> APIs, so would the application and GPG be protected from each other by=20
> acting as co-processes in a client-server model which provides a great=20
> deal of robustness.
The application mentioned by the OP (at least on gnupg-devel) would
store secret keys in a db and send passphrases to GPG on a pipe.
If it isn't careful with these, it doesn't really matter if it isn't
careful with the raw private keys. Also, the application will likely
know/produce any plaintext to be encrypted and/or need acess to any
decrypted messages. That pretty much leaves the application holding
all the secrets.
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
firstname.lastname@example.org | web: http://jharris.cjb.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
-----END PGP SIGNATURE-----