C/C++ API for GnuPG
Jason Harris
jharris@widomaker.com
Sat Apr 19 23:01:02 2003
--SvF6CGw9fzJC4Rcx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Apr 18, 2003 at 07:33:27PM -0700, Joseph Bruni wrote:
> I'm not a GPG-specific programmer, but I'd like to weigh in on this=20
> since I am a Unix programmer. Please indulge me if I'm off base here.
OK.
> I like the idea of GPG running in its own protected, non-swapable=20
> address space with a strictly well-defined communication interface=20
> provided by the anonymous pipe of stdin and stdout, environment=20
> variables, and command-line arguments. If I were a library programmer,=20
(It _sounds_ all warm and fuzzy...)
> (especially a security library), I would want to make sure that nothing=
=20
> could accidentally step on the code that I've spent a lot of time=20
> making robust. A GPG co-process lives in its own protected address=20
> space which (if set up properly) cannot be paged because it is=20
> setuid-root on many systems. As an application programmer, I would not=20
> want some library creating weakness in my application either.
The library knows which page(s) to lock and should request that whether
it runs inside GPG or another app.
> A linkable library, on the other hand, would be completely at the mercy=
=20
> of the library user (application programmer), just as the application=20
> is at the mercy of the library.
>=20
> In Unix, just as userland applications are "quarantined" from (and by)=20
> the kernel in order to provide security and stability, and are only=20
> able to communicate with the kernel through well-defined and checked=20
> APIs, so would the application and GPG be protected from each other by=20
> acting as co-processes in a client-server model which provides a great=20
> deal of robustness.
The application mentioned by the OP (at least on gnupg-devel) would
store secret keys in a db and send passphrases to GPG on a pipe.
If it isn't careful with these, it doesn't really matter if it isn't
careful with the raw private keys. Also, the application will likely
know/produce any plaintext to be encrypted and/or need acess to any
decrypted messages. That pretty much leaves the application holding
all the secrets.
--=20
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com | web: http://jharris.cjb.net/
--SvF6CGw9fzJC4Rcx
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+obliSypIl9OdoOMRApzGAKDVy4a+8GEVlzw3NJfYJ5mJ48/hmwCgnOQY
ZJmBWKjMldWHiBKmjaYs4uk=
=OzPw
-----END PGP SIGNATURE-----
--SvF6CGw9fzJC4Rcx--