Trust and distrust [was: Re: Google releases beta OpenPGP code]
tim at piratemail.se
tim at piratemail.se
Mon Jun 9 18:44:02 CEST 2014
---- some ideas that would help a distrustful person such as myself before addressing your mistrust question ---
I wish that there was a "standard API" for low level encryption JS libraries..
Not only so that I could swap them in OpenPGPJS on a whim. But so that I could also swap them in my code as well, without writing the glue.
I wish there was a standard for the random number generators. So that I could easily swap out, and ALSO, use a fake number generator to test that different implementations of PGP create *exactly* the same results.
I then I wish there was a "standard API" for PGP.
So that when the google code comes out I could swap as I wish. Test one against the other. Use the fake number generator and fake "timestamps" to verify that the resulting output is *exactly* the same in hundreds of test cases.
And then code coverage. I wish there were statistics published about code coverage.
If there is 100% code coverage and the output of two PGP implementations is the same. It gives me a much higher "I trust this code doesn't have an insert somewhere," than just "well the results were the same for the test cases I have."
Swapping + code-coverage + exactly same results + disparate code bases with maintainers who don't look at the other code base (and possibly distrust the other coding group) = more trust from me.
--- begin response to distrust, which I've tried not to make emotionally bated, but really I would just ignore this section ---
I'm not exactly sure if this list is an appropriate place for me to state my reasons for distrusting google.
Find the congressional testimony by google about what they were doing in china, especially the "auto censoring." That was my moment where I realized the google that I had hoped for had nothing to do with the google it transformed into.
In terms of just plain security.
I will say that I also do not trust OpenPGPJs. But in a different way. After that china testimony I didn't trust google to put people before governments. And unfortunately I feel as if my fears have been proven correct. Since google controls chrome-- a plugin by google designed to thwart google, running within google's chrome?? Ummmm.. Not sure...
If I were an adversary that could force google to do something I wanted, I would make them take screensots of anybody using this plugin, and send them to me.
More information about the Gnupg-users