[guardian-dev] OpenPGP on Android: GnuPG vs Bouncy Castle

Hans-Christoph Steiner hans at guardianproject.info
Mon Apr 8 17:24:30 EDT 2013 

First off, I'd just like to say we appreciate you taking the time to provide
criticism to our approach.  We are always open to hear other opinions.

On 04/08/2013 04:50 PM, Dominik Schürmann wrote:
> Hi folks,
> 
> unfortunately, the last discussion about OpenPGP implementations on
> Android didn't go further and Abel Luck didn't answer. I will try to
> restart the discussion to get more insights into your GnuPG port and try
> to discuss my view on GnuPG vs Bouncy Castle. Eventually, I will change
> my opinions :)
> I read most code of the GnuPG port last weekend and now have even more
> caveats.
> 
> First again let me say, I appreciate all the effort that has been put in
> this port. Currently I am also doing Android NDK/JNI (+SWIG) work on a
> university project and it is quite a mess :D
> Also, my view on multiple implementations of the same standard is that
> it can be positive to have competition to test implementations against
> each other and improve interoperability. On the other hand, implementing
> one OpenPGP app can lead to faster development as the existing small
> human resources are bundled up.
> 
> So I hope that I get other opinions on the following questions/caveats:
> 
> - Let me start with the biggest one: What exactly are you missing from
> APG/my fork compared to GnuPG, in other words: Why did you start porting
> GnuPG instead of forking APG?

It would be nice to have a pure Java implementation of the full features of
the GnuPG suite, but we looked into that and thought it would be significantly
less work to port GnuPG.  In retrospect, we might have be wrong about that,
but in any case, we now have GnuPG working on Android and want to pursue it.
Ideally, this work would also feed your pure Java implementation as well, but
that's not a current priority.

You can find our notes on what APG lacks here:
http://guardianproject.info/wiki/Encryption_and_Identity_Verification

Here is a sketch of what we want to add to the GnuPG app:
http://guardianproject.info/wiki/GnuPrivacyGuard_for_Android

The key parts missing in the APG implementation are:
* no method for uploading personal public key
* no method for signing other people's keys
* no method to view signatures on a key
* no method for generating and managing subkeys
* no PGP/MIME support

Perhaps you've addressed some of these in OpenPGP Keychain, I haven't looked
too closely. We are also hoping that using GnuPG will be faster/more efficient
that a BouncyCastle approach, which is quite important to use since we're
working on encrypting videos on phones.

> - I think, with a Java lib like Bouncy Castle as the backend, it is much
> easier to provide working multi platform versions.

Yes, pure Java will be easier to support on non-ARM Android platforms.  But
since they are currently a tiny minority, it was not a high priority when we
started.  We figured that those platforms could be served by APG, and now
OpenPGP Keychain.

> - Using a java lib I can easily serialize the openpgp objects into the
> sqlite database. As I understand GnuPG, the keyring lists are stored
> differently and are returned by array lists. To provide a fully
> functional abstraction layer ("the Android way") a Content Provider has
> to be in place. In my opinion, this is much faster and more reliable
> (concurrent access?) when using sqlite.
> This Content Provider and the new Remote service API was actually the
> most complicated part in my fork besides the user interface (I hate
> designing user interfaces :D )
>
> Hoping for insights,
> Dominik

Your ContentProvider sounds like a useful abstraction and should also be
applicable to the GnuPG port. So it sounds like you have already been
abstracting out the backend, so that would make this project much easier as
long as we can do everything we need via a ContentProvider.  If we can make a
standard API for the communication between the app and the PGP-providing
service (eg. gnupg or bouncycastle), then we can use a shared app as the
standard interface.

.hc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 939 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130408/50c2ba51/attachment.pgp>

More information about the Guardian-dev mailing list