Subject: Re: adding gpg to src/gnu/dist
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Alistair Crooks <agc@pkgsrc.org>
List: tech-security
Date: 05/13/2004 14:41:45
On Wed, May 12, 2004 at 09:02:32PM -0400, Thor Lancelot Simon wrote:
> I am appalled by many things about GPG, not least of which are its size,
> its extensive dependencies (which include Perl), and its horrendous user
> interface which betrays an utter lack of understanding of the key role
> that usability plays in the actual secure use of security software. When
> we already have a program in the base system that can do the job that it
> is being proposed that we use GPG for, and, even better, that program is
> merely a command-line interface to a library which could easily be directly
> linked into the appropriate system/package tools, I am very, very strongly
> opposed to importing GPG into the base system for this purpose.
Actually, I agree with you about the downside of gpg. I have no
intention of dragging perl or anything else into the base system.
However, we need the functionality that gpg provides. I keep being
told that I can do this by using openssl, but, whenever I've asked
people how to invoke openssl utilities from the command line, then
people start waving their hands (please note that I haven't asked you
how to do that). I can not find good accessible documentation on how
to use openssl to do this, or I would have done it myself.
So I'd like to know how to accomplish, using openssl, the equivalents
of the following gpg functionality which I need - I can massage any
answers into a shell script which I can commit if necessary:
1. gpg --recv-key 0x0123abcd
2. gpg --refresh-keys
3. gpg --sign-key 0x0123abcd
4. gpg --send-key 0x0123abcd
5. gpg --encrypt
6. gpg --verify
7. gpg --sign
(6 and 7 have to deal with and without detached ASCII-armo(u)red files)
I also need to be able to set a key server for each of these commands.
8. gpg --list-keys
> I'm adding tech-security to the carbon list, as that's the appropriate place
> to discuss security issues IMHO, not on tech-userlevel; this discussion
> probably overlaps both areas, but it has a clear security component.
Understandable, I've kept them in.
I'm quite serious about this - if it can be done with openssl, I'll be
very happy, and will use it all the time.
Regards,
Alistair