Forum for the FireGPG's extention. (!Don't post too links or wait we unban your, akismet is very aggressive)
You are not logged in. Please login or register.
We have posted a write-up that talks about what gpgAuth is and how it works. You can visit it here: http://www.gpgauth.com/#what_how
We are working on getting a writeup that explains how to implement it. It should be available sometime Monday, June 25th, 2007.
The forums are open now as well, so feel free to ask some questions.
The gpgAuth Team - www.gpgauth.com
How to add the plug in firegpg.xpi to firefox bowser?
How to add the plug in firegpg.xpi to firefox bowser?
Just drag it into a firefox window....
Hello,
Tried to follow the links to both the GPGauth write-up and the gpgauth.com site, but both links appear broken.
What is the current status with GPGauth and where can I find the latest GPGauth-related code and docs?
Thanks in advance,
Eva
I recently raised significant problems and concerns with the gpgauth protocol on the gpgauth forums, and only got a response from someone who does not appear to be an author of the site.
Is fireGPG's gpgauth support vulnerable to the concerns i raised there?
Hi,
I'm not the auther of gpgauth, and if there is any security problem with gpgauth, it's wont affect the rest of firegpg 
I sugest you to contact the author of gpgAuth
I've tried to contact the author by posting on the forum, but didn . do you have another way i should contact him or her? whois suggests that he's named "kyle huff", but the main kyle huffs i found online was someone who went on shooting rampage in seattle a few years ago 
And i'm concerned not just that gpgauth is spoofable (i wouldn't trust it anyway), but that gpgauth support in firegpg could potentially allow for abuse of the user's keyring by a remote server which prompts for gpgauth activity.
can you explain more about why that wouldn't be a risk for users of firegpg?
> do you have another way i should contact him or her?
No
> can you explain more about why that wouldn't be a risk for users of firegpg?
They have to confirm any gpgauth action
Thanks for your quick followup, the_glu. If i find anything out that's relevant to firegpg, i'll post it here.
I found a discussion on enigform's forum that suggests that Kyle Huff (the original gpgAuth author) is proposing abandoning gpgAuth entirely in favor of enigform and apache's associated mod_auth_openpgp. another post suggests that he has in fact joined the enigform team As such, i plan on moving my cryptographic review to that suite of tools, and suggest that people avoid using gpgAuth entirely unless more information is forthcoming.
If you don't know how to reach the gpgAuth author, and he seems to have abandoned his own project, perhaps support for gpgAuth should be dropped from FireGPG ? Are you guys in discussion with buanzo (the author of enigform) about the ways your respective tools could work together?
Last edited by dkg (2009-03-16 03:52:12)
> perhaps support for gpgAuth should be dropped from FireGPG ?
Why ? Maybe he could be usefull
> Are you guys in discussion with buanzo (the author of enigform) ?
No.
> Why?
The way i see it: if a protocol has no active upstream support, no advocate, no formal specification, no development community, and no way of responding to reasonable concerns, then implementations of that protocol probably do not belong in a piece of user-facing security-critical software. At least not without big shiny red warning flags all around any and all UI related to where it might actually be used (and even that should only be possible after ticking a checkbox that can only be found in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard')
> No.
It seems like Enigform and FireGPG do some similar (though certainly not identical) tasks. They both do some incredible work behind the scenes to help Firefox talk to GnuPG, both potentially deal with Web of Trust issues, both ask the user for their GPG passphrase, and both deal with potential signing of sensitive data. Why not talk to each other and share notes at least?
Last edited by dkg (2009-03-16 06:28:01)
The way I see it: I will remove a feature and receive 10 mails from angry users
> Why not talk to each other and share notes at least ?
I'm already too busy to develop firegpg, I won't begin to communicate with another person to develop some feature in common as I can't develop firegpg himself
Powered by PunBB, supported by Informer Technologies, Inc.
Currently installed 2 official extensions. Copyright © 2003–2009 PunBB.