The way i see it: if a protocol has no active upstream support, no advocate, no formal specification, no development community, and no way of responding to reasonable concerns, then implementations of that protocol probably do not belong in a piece of user-facing security-critical software. At least not without big shiny red warning flags all around any and all UI related to where it might actually be used (and even that should only be possible after ticking a checkbox that can only be found in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard')
It seems like Enigform and FireGPG do some similar (though certainly not identical) tasks. They both do some incredible work behind the scenes to help Firefox talk to GnuPG, both potentially deal with Web of Trust issues, both ask the user for their GPG passphrase, and both deal with potential signing of sensitive data. Why not talk to each other and share notes at least?
Last edited by dkg (2009-03-16 06:28:01)