I asked the devs on hacker news thread, they don't seem to like openpgp.js very much
https://news.ycombinator.com/item?id=7843297 citing his answer: Not a stupid question at all. We actually considered this option, but OpenPGP.js looked pretty bad back then. Security-wise the library wasn't in good shape. One of our cryptographers would "classify [OpenPGP.js] as trash". It has been audited recently, but the result doesn't look very good either [1]. I don't know the current status though. OpenPGP.js didn't actually implement most of the ciphers - it just imported them from various sources. This made the library inconsistent, i.e., some functions expect string, while others expect byte array, which in turn made it harder to use correctly in a language like Javascript. If we chose OpenPGP.js, we needed to change these ciphers anyway, so we thought it's just better to write them from scratch. [1] https://cure53.de/pentest-report_openpgpjs.pdf. On Tue, Jun 3, 2014 at 11:02 PM, Fabio Pietrosanti (naif) <[email protected]> wrote: > http://www.dailydot.com/technology/google-pgp-end-to-end-chrome/ > > Looking at the code it seems they are using their own OpenPGP > implementation, or am i wrong? > > https://code.google.com/p/end-to-end/source/browse/javascript/crypto/#crypto%2Fe2e%2Fopenpgp%253Fstate%253Dclosed > > If so, would it be possible to make a quick assessment on how OpenPGP.js > could be a good drop-in replacement as part of end-to-end? > > > -- > Fabio Pietrosanti (naif) > HERMES - Center for Transparency and Digital Human Rights > http://logioshermes.org - http://globaleaks.org - http://tor2web.org > > _______________________________________________ > > http://openpgpjs.org > Subscribe/unsubscribe: http://list.openpgpjs.org _______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
