Carsten -- I've been noticing that there are places where the openpgp.js code references openpgp.keyring within certain methods. I think this is problematic because it makes the assumption that the available keyring has the necessary information, which can easily not be the case for extensions.
Generally if we're going to have extensions that use content scripts with a separate options page (as I believe both you and I had envisioned) these calls will fail. I do not believe that any of these calls are truly "essential" to operation but are seen in cases like signature checking. (One of the cases I just ran up against is openpgp.msg.message.js:62). Which is why I think it may not appear to be an obvious issue. Also in methods like this I think we need to change the returned value from a string to some other data type that includes the string and other information (such as the status of a signature). I think the longterm solution has to be to take the assumed sender's public key (or an array of possibilities) as an input to this method. Unfortunately in this case we don't get the ID that we absolutely need until we're already partway through the method but I think it would be acceptable to pass in all of the public keys associated with a given email address and then check those keys for an ID that matches what is in the signature. Thoughts? Sean
_______________________________________________ http://openpgpjs.org
