Philosophical Question Regarding OpenPGP
jtreinen at gmail.com
Wed Feb 27 20:57:38 CET 2013
I have a general philosophical question regarding OpenPGP implementations,
and I'm hoping that this is an appropriate place to ask it.
When it comes to the most actively maintained implementations, it seems
that GPG, and GPGME as an API are the de-facto standards. Correspondingly,
libgrcrypt seems to be one of the best choices for using a lower level
library to provide quality crypto primitives. Observing the standard "thou
shalt not roll thine own crypto" philosophy, I have an ongoing dialog with
one of my colleagues regarding the risks around implementing a library that
would take the output from something like libgcrypt and format it in
compliance with the OpenPGP RFC.
I have looked around and seen some efforts at doing this (e.g.
http://www.cypherspace.org/openpgp/zerucha/ ). The question I pose is
this: Given the inherent risks in rolling your own crypto primitives, is
there equal risk in terms of say, attempting to secure private keys that
are generated using libgcrypt and storing them in an OpenPGP message
format. It seems to me that there is tremendous risk here in terms of
implementation details, but I'm unable to put my finger on exactly what it
If anybody has thoughts on this topic, I'd love to hear them. I apologize
if this is not an appropriate forum for these types of questions.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users