On Thu, May 13, 2004 at 02:41:45PM +0100, Alistair Crooks wrote:
> 
> However, we need the functionality that gpg provides.  I keep being

I don't agree.  We need _a very small part_ of the functionality that
gpg provides, that of RSA signing and signature checking.  The rest
of it, we don't need; it's either candy, or it's intended for a purpose
that's not ours.

For example, in the extensive list of gpg command-line invocations
for which you asked for equivalents, quite a few of them are
associated with web-of-trust management.  But (for this purpose)
we don't have a web of trust; we have a trust hierarchy.  This
means that a huge amount of the functionality in GPG is superfluous,
whatever one thinks of how it's implemented.

I could give you the openssl command-line syntax for the actual
signing operations, but it's pretty awful; besides, I'm sure you
could puzzle it out for yourself.  That's not the point.  As Dan
pointed out, users should never have to be exposed to _either_
of these command-line tools -- and OpenSSL is a *library*, and
even better it's one that generates and checks signatures in a
format that many other libraries can handle as well.  We can
integrate OpenSSL support directly into the pkgtools and the
system installer, and rely on no external utility at all.  I'd
be glad to help you do that, if you like.