Re: gpg et co

From: Brian Stafford <brian stafford uklinux net>
To: Lubomir Gelo <slon slon sk>
Cc: Brian Stafford <brian stafford uklinux net>, chbm chbm nu,Balsa List <balsa-list gnome org>
Subject: Re: gpg et co
Date: Fri, 13 Jul 2001 10:12:24 +0100

On Thu, 12 July 17:30 Lubomir Gelo wrote:

> > I would argue that since MIME is a mechanism for representing complex
> > hierarchical documents, all MIME functionality in a program should be
> > handled by a library specifically designed for that purpose. (Gmime
> > comes to mind.)  Encrpytion and signing support should be an integral part
> > of that mechanism, i.e. from within, not bolted on to the outside of it.
> 
> I partially agree with both of you: encryption should be done on system-wide
> level (either via library or cryptoserver or whatever).  But thats what GPG is
> 
> supposed to do. Yes, I know it interfaces with applications badly (mainly 
> because of Werner :-)) and pipe interface sucks.  
> 
> Brian, mail en(de)cryption is requires more than parsing MIME document and
> encrypting/signing it. You need key management, user interface etc. That's far
> beyond the gmime scope.  

Agreed, I deliberately skirted this issue.  Most of the encodings in mime
can be applied transparently.  But assuming a MIME library that implemented
multipart/signed and multipart/encrypted an additional API to the MIME
library for that functionality which is orthogonal to the usual one would
be required.  The layer over that API could then be the Bonobo/plugin/whatever
interface.

This is an issue I've thought about before - libESMTP implements a SASL layer.
This would be a generically useful library but libESMTP which tries, as far
as possible, to be a zero configuration library.  SASL requires management
of username / password or other authentication tokens per realm.
Similarly, the socket buffering layer (almost) implements SSL/TLS.  Client
side certificate management is a similar problem to managing the authentication
tokens.  Its seems to me stupid that every application should have to
provide a  management interface to all this - it complicates use for an app
and means that *every* app using SASL or TLS via my code would have to configure
the auth/cert stuff.  When I solve this one, I'll probably split SASL out
of libESMTP and complete the TLS implementatiom.

> PS:
> IMO encryption support is much more important than most of us think.
> Integration with MUA 
> (from the user perspective) should be as tight as possible. People should get
> used to it and 
> use it in their everyday communication. That's why I think that having working
> GGP integration 
> albeit using crappy pipe interface is a way better than having no encryption
> at all.  

Agreed.  This probably matters more for S/MIME certificate management than
PGP/MIME.  But that's not to say either is easy to integrate seamlessly.

Brian Stafford

References:
- Re: gpg et co
  - From: Maciej Golebiewski
- Re: gpg et co
  - From: Carlos Morgado
- Re: gpg et co
  - From: Brian Stafford
- Re: gpg et co
  - From: Lubomir Gelo

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]