[RCD] OpenPGP in JavaScript in Roundcube in round in round in round...

Jonas Meurer jonas at freesources.org
Sat Jul 14 00:02:25 CEST 2012


I'm really happy to see PGP/GPG support in roundcube progressing ;)

Am 30.06.2012 17:34, schrieb Niklas:
> I've been working on implementing OpenPGP.js in Roundcube for the past
> couple of days. It's still an unfinished project in development, but
> since there's such high demand for the result I ought I'd ask you guys
> for some early feedback.
> For those of you who don't know: OpenPGP.js is a fork of the previous
> GPG4Browsers. The intent is to port all OpenPGP functionality into
> JavaScript so that third party software isn't required for PGP activity.
> It uses HTML5 web storage and standard PKI keyrings (private keys excluded).

It sounds like a interesting implementation.

> Speaking of Enigma: I'm sure someone will ask why I extend that instead.
> With all due respect to its authors and fans, Enigma has been stuck in
> development for 2 years, and PGP support has been planned for Roundcube
> for 6 years. I'm not sure whether Enigma is really relevant or not. Also
> I can not support a plugin that implements encryption as a server side
> solution. The main goal of encryption is to ensure that the data can not
> be accessed by unauthorized people. I believe that people hosting other
> people's mail should be treated as unauthorized, and giving private keys
> away to somebody else really fights against the entire purpose. And then
> arises the exact same problem that Hushmail users are experiencing:
> http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/

I agree that in most situations users shouldn't trust their ISPs. At
least they shouldn't give them private keys. But in other cases it's
actually the other way round: If people host their own webmail, and have
full control over the server hosting it, it might be much safer to store
a passphrase-encrypted subkey on this server than to import the secret
key into browser cache on public internet clients. The great thing about
server-side key storage is, that the secret key never leaves the server.

I actually see good reasons for both implementations. But the best would
be to merge both as much as possible and keep code / function
duplications small.


More information about the dev mailing list