I'm not finding a lot of information since the end of ~last year~ on the status of OpenPGP.js checks. Perhaps an inquiry on their mailing list is in order - I didn't see archives. I would guess Mailvelope uses whatever keystore options OpenPGP.js offers which as of now (as near as I can tell) doesn't include GnuPG compatibility (with already noted limitations as good reasons).
Will be interested to see how both evolve. -Ali On Tue, Dec 11, 2012 at 9:31 AM, Petter Ericson <[email protected]> wrote: > I would claim that the expected behaviour would be to use any available > keystore by default, or alternatively (if none is found) to install its > own in a "default" location. On *nix, this is usually ~/.gnupg, and if > GPG4Win is "widely" used on windows, I would expect one such keystore to > be implemented. > > However, I am unsure how much of this can be done from browser plugins. > > Still, with the caveats mentioned further down the thread, I have to > say this is a great thing, at first glance. More (and better) encryption > tools make more (and better) encryption! > > Cheers > > /P > > On 11 December, 2012 - Robbie MacKay wrote: > > > "1. Mailvelope appears to use its own keystore (at least on Windows), and > > not the > > GPG keystore. Specifically, it doesn't use the GPG4Win keystore, > which > > is > > the one I'd expect it to use." > > > > In some ways this is great: it means novice users don't have to worry > about > > getting GPG4Win or any other keystore installed first. Simplifying > > encryption for end users is definitely better, though I can't speak to > the > > quality of their implementation. For those of us who already have a GPG > > keystore set up (and existing keys) I'd definitely rather it used those. > > > > On Tue, Dec 11, 2012 at 9:16 AM, Nick Daly <[email protected]> > wrote: > > > > > On Mon, Dec 10, 2012 at 1:42 PM, Fabio Pietrosanti (naif) > > > <[email protected]> wrote: > > > > Hi all, > > > > > > > > for whose who has still not see that project, i wanted to send a > notice > > > > about MailVelope, OpenPGP encryption for webmail: > > > http://www.mailvelope.com > > > > > > > > > > It's a client-side, plug-in based (similar to CryptoCat), OpenPGP > email > > > > encryption plugin available for Chrome and Firefox. > > > > > > > > Source code is available under AGPL on > > > > https://github.com/toberndo/mailvelope > > . > > > > > > > > Does anyone ever security reviewed it? > > > > -- > > > > Unsubscribe, change to digest, or change password at: > > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > > > > This (could finally be) email encryption done right: encryption is > > > performed on the user's browser, so that the server storing the > > > communication never sees the contents of the message. > > > > > > However, after installing it on Chrome, I have a few concerns: > > > > > > 1. Mailvelope appears to use its own keystore (at least on Windows), > and > > > not the > > > GPG keystore. Specifically, it doesn't use the GPG4Win keystore, > which > > > is > > > the one I'd expect it to use. > > > > > > 2. When creating a new PGP key in Mailvelope, it has some pretty poor > > > defaults. > > > > > > A. Keys are set to 1024 bits, instead of 2048 (or 4096). Anything > > > under 2048 is probably insufficient. > > > > > > B. Keys are set to never expire, and that can't be configured. > > > Different keys should be used for different purposes and should > > > expire differently. It's not a bad idea to cause email-signing > > > keys to expire after 3 - 5 years. > > > > > > Both 2.A and 2.B can be fixed through GPA or another frontend, but > > > that's still bad key-creation practice. > > > > > > However, it *does* show the long-form key ID (the last 8 bytes of the > > > fingerprint), which is probably the minimum necessary to avoid most > > > collision attacks. > > > > > > Nick > > > -- > > > Unsubscribe, change to digest, or change password at: > > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > > > > > > > > > -- > > Robbie Mackay > > > > Software Developer, External Projects > > Ushahidi Inc > > m: +64 27 576 2243 > > e: [email protected] > > skype: robbie.mackay > > > -- > > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > -- > Petter Ericson ([email protected]) > > Telecomix Sleeper Jellyfish > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
