In message <42DAF0EC.9010906@gmail.com>, Manuel Freire writes:
>Hello,
>
>I'm developing the application bpg, a BSD-licensed privacy guard, within
>the Google's Summer of Code. As I told you in a previous message, I'd
>like to discuss in this list our opinions about the best way to afford
>the different stages of the project.
>

Two things. 

First, I suspect that there's some necessity to keep the (seriously 
ugly) gpg command line interface.  It's ugly, it's complex, it's 
impossible to figure out what options to use to do simple things.  I'd 
very much prefer a set of much-simpler commands, with the 
gpg-compatible commands just as wrappers around the underlying 
better-designed primitives.

Second, have a look at http://www.cs.columbia.edu/~smb/papers/new-hash.ps
(or .pdf).  In particular, see Section 4 and especially the advice in 
4.1.1 and 4.2 on implementation behavior.  You can't change the 
protocol; you can make sure your implementation behaves properly.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb