[RCD] OpenPGP in JavaScript in Roundcube in round in round in round...

Niklas Femerstrand nik at qnrq.se
Thu Jul 12 17:31:36 CEST 2012

Yeah, the keys will have to be imported for every individual site using
openpgpjs. I'm not very concerned about that, I think the users are more
than willing to import keys everywhere. I think that's just normal usage
of PKI, kind of how SSH users would have to put all their public keys on
remote hosts.

One thing related to this that I haven't looked into though is: how
persistent is the HTML5 web storage, and when and under what
circumstances does it expire? It would suck to have to import private
keys from a local storage once a day. Perhaps if that becomes a problem
later on JavaScript cookies could be used as backup. But once again, I
haven't looked at this at all, and it might not be a problem at all.

OpenPGP.js is actually a fork of GPG4Browsers :-)


On 7/12/12 10:19 PM, Thomas Bruederli wrote:
> On Wed, Jul 11, 2012 at 5:00 PM, Niklas <nik at qnrq.se> wrote:
>> Hey-hey!
>> The key manager uses HTML5 web storage to store keys, perhaps your
>> browser doesn't support it yet? I've confirmed that part to work in both
>> Firefox and Chrome. The plugin is heavily depending on HTML5 and things
>> like window.crypto, which Chrome currently supports but Firefox is
>> lagging (for some reason they're holding the release back because it's
>> not finished for the mobile app).
> I tried with Chrome and importing public keys worked fine. Nevermind,
> I guess the problem was somewhere between the chair and the keyboard
> :-)
> BTW: as far as I understand HTML5 local storage, the key store is
> restricted to the host/domain of the Roundcube installation. Of course
> that's a reasonable security feature. But it also means that I'd have
> to install my keys at every website using openpgpjs individually,
> right?
>> Decryption works as a proof of concept currently and currently it can
>> only decrypt using one (the first) private key in the key manager. The
>> decryption function is on rows 275-334 here:
>> https://github.com/qnrq/rc_openpgpjs/blob/master/js/openpgpjs.js
>> I see what you mean about message parsing being a big project to get
>> working somehow on the client side. I can't say that I'm looking forward
>> to that part, but for now the most important thing imho is to get any
>> PGP safely into Roundcube. It might be something that requires patching
>> openpgp.js and that's fine by me, I've already planned doing
>> modifications there.
> I recently found http://gpg4browsers.recurity.com which actually heads
> into that direction.
>> I think it's OK if it takes some time to get full multipart messaging
>> support. Browsers haven't implemented HTML5 fully yet so either what is
>> done with the plugin it won't function 100 % until things like that are
>> ready.
> That's certainly true. But as always, users want that feature ASAP...
> _______________________________________________
> Roundcube Development discussion mailing list
> dev at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/dev

More information about the dev mailing list