Hi Karel, Thanks for the mail.
> Security-wise the library wasn't in good shape. ... > It has been audited recently, but the result doesn't look very good either > [1]. Afaik all/most issues has been fixed. Show me another audited implementation ;) > One of our cryptographers would "classify [OpenPGP.js] as trash". Well, everyone can have its own opinion. But I think we're on a rather good track here. Might be interesting to look at the recently published implementation from Google though. > This made the library inconsistent API's can be fixed and are currently optimised... > it's just better to write them from scratch. ...but re-implementing core ciphers from scratch just doesn't make sense (imho - from a security, performance and standard compliance perspective). Best regards, Alex On 04 Jun 2014, at 19:02, Karel Bílek <[email protected]> wrote: > I asked the devs on hacker news thread, they don't seem to like > openpgp.js very much > > https://news.ycombinator.com/item?id=7843297 > > citing his answer: > > Not a stupid question at all. We actually considered this option, but > OpenPGP.js looked pretty bad back then. > > Security-wise the library wasn't in good shape. One of our > cryptographers would "classify [OpenPGP.js] as trash". It has been > audited recently, but the result doesn't look very good either [1]. I > don't know the current status though. > > OpenPGP.js didn't actually implement most of the ciphers - it just > imported them from various sources. This made the library > inconsistent, i.e., some functions expect string, while others expect > byte array, which in turn made it harder to use correctly in a > language like Javascript. If we chose OpenPGP.js, we needed to change > these ciphers anyway, so we thought it's just better to write them > from scratch. > > [1] https://cure53.de/pentest-report_openpgpjs.pdf. > > > > On Tue, Jun 3, 2014 at 11:02 PM, Fabio Pietrosanti (naif) > <[email protected]> wrote: >> http://www.dailydot.com/technology/google-pgp-end-to-end-chrome/ >> >> Looking at the code it seems they are using their own OpenPGP >> implementation, or am i wrong? >> >> https://code.google.com/p/end-to-end/source/browse/javascript/crypto/#crypto%2Fe2e%2Fopenpgp%253Fstate%253Dclosed >> >> If so, would it be possible to make a quick assessment on how OpenPGP.js >> could be a good drop-in replacement as part of end-to-end? >> >> >> -- >> Fabio Pietrosanti (naif) >> HERMES - Center for Transparency and Digital Human Rights >> http://logioshermes.org - http://globaleaks.org - http://tor2web.org >> >> _______________________________________________ >> >> http://openpgpjs.org >> Subscribe/unsubscribe: http://list.openpgpjs.org > _______________________________________________ > > http://openpgpjs.org > Subscribe/unsubscribe: http://list.openpgpjs.org _______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
