Topic: About gpgAuth

We have posted a write-up that talks about what gpgAuth is and how it works.  You can visit it here: http://www.gpgauth.com/#what_how

We are working on getting a writeup that explains how to implement it. It should be available sometime Monday, June 25th, 2007.

The forums are open now as well, so feel free to ask some questions.

The gpgAuth Team - www.gpgauth.com

Re: About gpgAuth

How to add the plug in firegpg.xpi to firefox bowser?

Re: About gpgAuth

Did't understand.

Re: About gpgAuth

sbkolluru wrote:

How to add the plug in firegpg.xpi to firefox bowser?

Just drag it into a firefox window....

Re: About gpgAuth

Hello,

Tried to follow the links to both the GPGauth write-up and the gpgauth.com site, but both links appear broken.

What is the current status with GPGauth and where can I find the latest GPGauth-related code and docs?

Thanks in advance,

Eva

Re: About gpgAuth

Hi,

I don't know wink

Regards,

Re: About gpgAuth

I recently raised significant problems and concerns with the gpgauth protocol on the gpgauth forums, and only got a response from someone who does not appear to be an author of the site.

Is fireGPG's gpgauth support vulnerable to the concerns i raised there?

Re: About gpgAuth

Hi,

I'm not the auther of gpgauth, and if there is any security problem with gpgauth, it's wont affect the rest of firegpg wink

I sugest you to contact the author of gpgAuth wink

Re: About gpgAuth

I've tried to contact the author by posting on the forum, but didn .  do you have another way i should contact him or her?  whois suggests that he's named "kyle huff", but the main kyle huffs i found online was someone who went on shooting rampage in seattle a few years ago sad

And i'm concerned not just that gpgauth is spoofable (i wouldn't trust it anyway), but that gpgauth support in firegpg could potentially allow for abuse of the user's keyring by a remote server which prompts for gpgauth activity.

can you explain more about why that wouldn't be a risk for users of firegpg?

Re: About gpgAuth

> do you have another way i should contact him or her?

No

> can you explain more about why that wouldn't be a risk for users of firegpg?

They have to confirm any gpgauth action wink

11

Re: About gpgAuth

Thanks for your quick followup, the_glu.  If i find anything out that's relevant to firegpg, i'll post it here.

12

Re: About gpgAuth

I found a discussion on enigform's forum that suggests that Kyle Huff (the original gpgAuth author) is proposing abandoning gpgAuth entirely in favor of enigform and apache's associated mod_auth_openpgp. another post suggests that he has in fact joined the enigform team As such, i plan on moving my cryptographic review to that suite of tools, and suggest that people avoid using gpgAuth entirely unless more information is forthcoming.

If you don't know how to reach the gpgAuth author, and he seems to have abandoned his own project, perhaps support for gpgAuth should be dropped from FireGPG ?  Are you guys in discussion with buanzo (the author of enigform) about the ways your respective tools could work together?

Last edited by dkg (2009-03-16 03:52:12)

Re: About gpgAuth

> perhaps support for gpgAuth should be dropped from FireGPG ?

Why ? Maybe he could be usefull wink

> Are you guys in discussion with buanzo (the author of enigform) ?

No.

14

Re: About gpgAuth

> Why?

The way i see it: if a protocol has no active upstream support, no advocate, no formal specification, no development community, and no way of responding to reasonable concerns, then implementations of that protocol probably do not belong in a piece of user-facing security-critical software.  At least not without big shiny red warning flags all around any and all UI related to where it might actually be used (and even that should only be possible after ticking a checkbox that can only be found in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard') wink

> No.

It seems like Enigform and FireGPG do some similar (though certainly not identical) tasks.  They both do some incredible work behind the scenes to help Firefox talk to GnuPG, both potentially deal with Web of Trust issues, both ask the user for their GPG passphrase, and both deal with potential signing of sensitive data.  Why not talk to each other and share notes at least?

Last edited by dkg (2009-03-16 06:28:01)

Re: About gpgAuth

The way I see it: I will remove a feature and receive 10 mails from angry users wink

> Why not talk to each other and share notes at least ?

I'm already too busy to develop firegpg, I won't begin to communicate with another person to develop some feature in common as I can't develop firegpg himself wink