tech-security: Re: adding gpg to src/gnu/dist

Subject: Re: adding gpg to src/gnu/dist
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Alistair Crooks <agc@pkgsrc.org>
List: tech-security
Date: 05/13/2004 14:41:45
On Wed, May 12, 2004 at 09:02:32PM -0400, Thor Lancelot Simon wrote:
> I am appalled by many things about GPG, not least of which are its size,
> its extensive dependencies (which include Perl), and its horrendous user
> interface which betrays an utter lack of understanding of the key role
> that usability plays in the actual secure use of security software.  When
> we already have a program in the base system that can do the job that it
> is being proposed that we use GPG for, and, even better, that program is
> merely a command-line interface to a library which could easily be directly
> linked into the appropriate system/package tools, I am very, very strongly
> opposed to importing GPG into the base system for this purpose.

Actually, I agree with you about the downside of gpg. I have no
intention of dragging perl or anything else into the base system.

However, we need the functionality that gpg provides.  I keep being
told that I can do this by using openssl, but, whenever I've asked
people how to invoke openssl utilities from the command line, then
people start waving their hands (please note that I haven't asked you
how to do that).  I can not find good accessible documentation on how
to use openssl to do this, or I would have done it myself.

So I'd like to know how to accomplish, using openssl, the equivalents
of the following gpg functionality which I need - I can massage any
answers into a shell script which I can commit if necessary:

1. gpg --recv-key 0x0123abcd

2. gpg --refresh-keys

3. gpg --sign-key 0x0123abcd

4. gpg --send-key 0x0123abcd

5. gpg --encrypt

6. gpg --verify

7. gpg --sign

(6 and 7 have to deal with and without detached ASCII-armo(u)red files)

I also need to be able to set a key server for each of these commands.
 
8. gpg --list-keys

> I'm adding tech-security to the carbon list, as that's the appropriate place
> to discuss security issues IMHO, not on tech-userlevel; this discussion
> probably overlaps both areas, but it has a clear security component.

Understandable, I've kept them in.

I'm quite serious about this - if it can be done with openssl, I'll be
very happy, and will use it all the time.

Regards,
Alistair