[dev] PGP support for IMP - A start...

Alex admin@networkessence.net
Wed, 27 Mar 2002 05:56:23 -0600


I haven't posted to this in forever, but this caught my eye...

Quoting Jan Schneider <jan@horde.org>:

> Zitat von Michael M Slusarz <slusarz@bigworm.colorado.edu>:
> 
> > 1.) I think it is best to support GnuPG, and GnuPG only.  Unlike
> > 'regular' 
[snip]
> 
> I'm not glad with this situation, but I think, someone who already knows 
> how to use GPG or encryption in general should also know about this issue. 
> And we should put a BIG RED message on the screen where the users will 
> upload their private key. Perhaps we can use the <blink> tag? :-)
> 
> Another step to more security may be that we enable private keys (upload 
> and usage) only if we have a https connection. I won't be able to test it 
> then, but... 
> 
> One thing we have to discuss is, if it is less secure to store unencrypted 
> private keys on a public sql/ldap server or to pass the clear text 
> passphrase from the browser every time we use a private key.
> 

Imho, no matter what is done, a webbased client for GPG won't be secure.  
Further, I see it as being extremely fragile.  But, I'm all for it, as (with 
SSL), I would probably use it myself.  Mainly, because I'm familiar with the 
integrity and security of the server IMP would be running on.  Other end-users 
may not have that luxory.  First, I would expect the feature to be disabled by 
default.  Implementation of IMP w/GPG would necessitate a security for the 
server which it would be hosted on.  A user can easily install Horde/IMP on an 
insecure server.  If the feature is disabled by default, warnings could be put 
in place causing the user installing IMP to think twice before activating/using 
the GPG feature.
I also believe that (as you said above), https should be required (hard-coded, 
no option in the software otherwise) for GPG to work.  This would force an 
installer of IMP to re-configure AND re-code IMP to get GPG to work without 
https.  If clear text were to be used, it would take little effort to obtain 
private keys.
And last, the code to go with this support should be to say the least, secure, 
but that's fairly obvious.  If anything is lacking, IMP will become a target.  
The only secure way I can think of doing this would be to code a java applet 
that interacts with java script in the clients browser to do everything client 
side and have the applet relay between the server and the end-user.  Of course, 
IMP is meant to be platform independent and only require a browser, but even 
cell phones hava Java now.  imo, no matter how this is done, there will be 
tradeoffs between security and useability.  Browsers, let alone HTTP isn't 
really designed well for security (but that's no fault of anybody here of 
course).

And of course (I haven't watched list, so apologies if this was already posted 
on the subject).  http://www.gnupg.org/rfc2440.html

-Alex