Hello everyone, I have a general philosophical question regarding OpenPGP implementations, and I'm hoping that this is an appropriate place to ask it.
When it comes to the most actively maintained implementations, it seems that GPG, and GPGME as an API are the de-facto standards. Correspondingly, libgrcrypt seems to be one of the best choices for using a lower level library to provide quality crypto primitives. Observing the standard "thou shalt not roll thine own crypto" philosophy, I have an ongoing dialog with one of my colleagues regarding the risks around implementing a library that would take the output from something like libgcrypt and format it in compliance with the OpenPGP RFC. I have looked around and seen some efforts at doing this (e.g. http://www.cypherspace.org/openpgp/zerucha/ ). The question I pose is this: Given the inherent risks in rolling your own crypto primitives, is there equal risk in terms of say, attempting to secure private keys that are generated using libgcrypt and storing them in an OpenPGP message format. It seems to me that there is tremendous risk here in terms of implementation details, but I'm unable to put my finger on exactly what it is. If anybody has thoughts on this topic, I'd love to hear them. I apologize if this is not an appropriate forum for these types of questions. Jim.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
