Subject: Re: NetBSD and the Google "Summer of Code" Summary
To: None <netbsd-users@netbsd.org>
From: =?ISO-8859-1?Q?=22Nils_O=2E_Sel=E5sdal=22?= <noselasd@asgaard.homelinux.org>
List: netbsd-users
Date: 10/17/2005 19:00:07
Matthias Buelow wrote:
> Jan Schaumann wrote:
>
>
>> BPG, the BSD Privacy Guard, is a BSD-licensed program that
>> performs authentication and encryption using the OpenPGP standard
>> (RFC 2440). The BPG project's goals were to produce:
>>
>> * A set of libraries for signing and encrypting data, allowing the
>> integration of OpenPGP features in other applications.
>
>
> What is the rationale behind this? I assume you are aware of entry #4.16
> in the GnuPG FAQ, "Can't we have a gpg library?"?
>
> While I don't know the whole argumentation against a PGP library, one
> (imho) strong argument is that a library would load the decrypted secret
> key into any random application's memory that uses pgp functionality
> (like a mail reader), while with a separate pgp/gpg binary, it will
> reside only in the address space of the pgp/gpg program, which has been
> designed (and carefully checked/hardened) for this situation.
Perhaps an idea would be to modelle it after
http://cm.bell-labs.com/sys/doc/auth.html
Atleast the idea is that all sensitive processing is done in the context
of a trusted process, and you can very well have libraries interfacing that.
Or perhaps I BGP already does this ?