Le 2024-08-08 18:50, Daniel Kahn Gillmor a écrit :
Hi Sébastien--
On Thu 2024-08-08 00:53:04 +0200, Sébastien Noel wrote:
[...]
except for the part where you ask for an analysis, i'm sure I can
answer
to everything else. I will do that promptly.
I hope we can work on the analysis part as well, there are several
questions that i've asked on the MR. Perhaps we can address some of
them, even if not all. I appreciate that some security analysis has
been done by upstream already. Maybe there are pointers to that work
that could be a useful start?
I also note in https://mailvelope.com/en/faq#gnupg that mailvelope
doesn't depend on GnuPG specifically -- by default it uses OpenPGP.js,
but *may* communicate with GnuPG for the secret key material.
If you're using Mailvelope, can you confirm that this is the case? Do
you currently use it without GnuPG?
Mailvelope has 2 "backends", one is OpenPGP.js, where it works without
interacting with the local GnuPG install and the keys are stored in the
browser's local folder. This just works, today, without change in any
gnupg component.
But I'm more interested in the second backend where it use the local
GnuPG install, so I can access keys stored on hardware token. But to
communicate with GnuPG the Mailvelope browser plugin needs the
gpgme-json binary (+ a json manifest that tells the browser "open the
gates, it's ok"). That's what i'm using, and trying to push to
src:gpgme1.0, so that i can stop to maintain my own "fork"
br,
Sébastien
Regards,
--dkg
