> Why not talk to each other and share notes at least ?

I'm already too busy to develop firegpg, I won't begin to communicate with another person to develop some feature in common as I can't develop firegpg himself

The way i see it: if a protocol has no active upstream support, no advocate, no formal specification, no development community, and no way of responding to reasonable concerns, then implementations of that protocol probably do not belong in a piece of user-facing security-critical software.  At least not without big shiny red warning flags all around any and all UI related to where it might actually be used (and even that should only be possible after ticking a checkbox that can only be found in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard')

> No.

It seems like Enigform and FireGPG do some similar (though certainly not identical) tasks.  They both do some incredible work behind the scenes to help Firefox talk to GnuPG, both potentially deal with Web of Trust issues, both ask the user for their GPG passphrase, and both deal with potential signing of sensitive data.  Why not talk to each other and share notes at least?

Why ? Maybe he could be usefull

> Are you guys in discussion with buanzo (the author of enigform) ?

No.

If you don't know how to reach the gpgAuth author, and he seems to have abandoned his own project, perhaps support for gpgAuth should be dropped from FireGPG ?  Are you guys in discussion with buanzo (the author of enigform) about the ways your respective tools could work together?

No

> can you explain more about why that wouldn't be a risk for users of firegpg?

They have to confirm any gpgauth action

And i'm concerned not just that gpgauth is spoofable (i wouldn't trust it anyway), but that gpgauth support in firegpg could potentially allow for abuse of the user's keyring by a remote server which prompts for gpgauth activity.

can you explain more about why that wouldn't be a risk for users of firegpg?

I'm not the auther of gpgauth, and if there is any security problem with gpgauth, it's wont affect the rest of firegpg

I sugest you to contact the author of gpgAuth

Is fireGPG's gpgauth support vulnerable to the concerns i raised there?

I don't know

Regards,

Tried to follow the links to both the GPGauth write-up and the gpgauth.com site, but both links appear broken.

What is the current status with GPGauth and where can I find the latest GPGauth-related code and docs?

Thanks in advance,

Eva

How to add the plug in firegpg.xpi to firefox bowser?

Just drag it into a firefox window....

We have posted a write-up that talks about what gpgAuth is and how it works.  You can visit it here: http://www.gpgauth.com/#what_how

We are working on getting a writeup that explains how to implement it. It should be available sometime Monday, June 25th, 2007.

The forums are open now as well, so feel free to ask some questions.

The gpgAuth Team - www.gpgauth.com