[guardian-dev] OpenPGP Keychain 2.1 with new API

Oliver Gasser oliver at flowriver.net
Sat Sep 14 06:31:21 EDT 2013


Hi,

On 09/13/2013 10:50 PM, Hans-Christoph Steiner wrote:
> 
> It seems to me that the OpenPGP AIDL API should be generic enough to work for
> both inline PGP and PGP/MIME.  I think we should consider that now.  What
> would K-9 need from the OpenPGP API in order to support PGP/MIME?

I agree with Hans-Christoph on this one. It is good to take all
possibilities of an API specification into consideration before actually
implementing it. Otherwise we continually have to change the API _and_
the implementation.

So I advocate to have a clear and comprehensive API specification
(including PGP/MIME). This does not mean that OpenPGP Keychain has to
support PGP/MIME right away. It just means that we lay out the data
formats and functions.

> 
> From my understanding of how PGP/MIME works, K-9 just needs to split out the
> MIME parts at the right borders, then submit the bits to the OpenPGP API for
> processing.  So for example, a signed message would be split into the signed
> body and the signature, and then those two bits would be sent to the OpenPGP API.

This would be one possibility, to do some parsing on the side of k9mail
and parse and submit the single parts of the MIME message to the API.

Another option is to hand the API the complete source of the mail and
let it do the parsing, decryption, verification as described in the RFC
[1]. This option would make the separation between the OpenPGP API and
the mail client clearer since everything related to OpenPGP including
PGP/MIME is done in the OpenPGP provider. GnuPG is working exactly like
this on the Desktop side of things (I suppose also on Android).

> 
> For as fast as possible, we have K-9 + APG working now, with all its known issues.

Exactly. If we propose a new API it should include PGP/MIME from the start.

> 
> .hc
> 

[1] http://tools.ietf.org/html/rfc3156

> On 09/13/2013 03:34 PM, Dominik Schürmann wrote:
>> Hi Oliver,
>>
>> I would be happy if someone would implement MIME support in k9mail to
>> enable PGP/MIME.
>> Currently my goal is different:
>> - I think we need to get to something that works as fast as possible due
>> to recent trust problems regarding infrastructure ;)
>> - So I will focus on support for inline PGP with the new remote service API.
>> - Newer API versions can then also include support for PGP/MIME. It's no
>> problem to query for an API version and use different interface definitions.
>>
>> But MIME support is currently out of my scope due to time constraints. I
>> have to focus on other bugs and design issues.
>>
>> That said, every contributor is welcome. If you have questions about the
>> code in OpenPGP Keychain, reach me via Jabber (email=jabber id).
>>
>> Regards
>> Dominik
>>
>> On 13.09.2013 17:26, Oliver Gasser wrote:
>>> Hi,
>>>
>>> I think that PGP/MIME support in the new API would definitely help its
>>> adoption (especially in k9mail). This feature would be a real benefit
>>> which you could point developers and users to: In combination with
>>> OpenPGP Keychain (or also GnuPG on Android) k9mail is finally able to
>>> work as a fully-enabled PGP mail client.
>>>
>>> So my idea is to first design a viable OpenPGP API including PGP/MIME as
>>> an essential part. And once we are happy with that we can implement both
>>> the k9mail part as well as the OpenPGP Keychain part.
>>>
>>> I of course offer my help in this process.
>>>
>>> Regards,
>>> Oliver
>>>
>>>
>>> On 09/13/2013 05:04 PM, Dominik Schürmann wrote:
>>>> Hi Oliver,
>>>
>>>> currently no. We are working on getting the new API for PGP/INLINE into
>>>> k9mail before moving on with PGP/MIME.
>>>
>>>> Regards
>>>> Dominik
>>>
>>>> On 13.09.2013 16:50, Oliver Gasser wrote:
>>>
>>>
>>>> On 13.09.2013 16:50, Oliver Gasser wrote:
>>>>> Does OpenPGP Keychain support PGP/MIME, i.e. can I take an encrypted
>>>>> and signed email including the headers and feed all of it to the app
>>>>> and it will return the decrypted text and the signature verification
>>>>> status?
>>>>> I know that gpg can do this on the desktop, not sure about the GnuPG
>>>>> Android App though.
>>>>>
>>>>> On 09/10/2013 12:45 PM, Dominik Schürmann wrote:
>>>>>> TL;DR: Try out the new OpenPGP Keychain API: Keychain: 
>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain
>>>>>
>>>>>
>>>>> API Demo:
>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain.demo
>>>>>
>>>>>>  (also send to guardian-dev mailinglist)
>>>>>
>>>>>> Long version: As discussed previously I now present my new Crypto
>>>>>> API that I propose for integration into k9mail. All apps wanting to
>>>>>> use this generic API just need to include the AIDL files and
>>>>>> connect to the service. Other crypto apps can implement a service
>>>>>> based on this AIDL definition.
>>>>>
>>>>>> Design ------ The API is designed to be as easy as possible to use
>>>>>> by apps like k9mail. The service definition defines 
>>>>>> sign/encrypt/signAndEncrypt/decryptAndVerify [1]. As can be seen
>>>>>> the apps themselves never need handle key ids directly. Only user
>>>>>> ids (emails) are used to define recipients. If more than one pub
>>>>>> key exists for an email, OpenPGP Keychain will handle the problem
>>>>>> by showing a selection screen. Also app devs never need to fiddle
>>>>>> with private keys. On first operation, OpenPGP Keychain shows an
>>>>>> activity to allow or disallow access, while also allowing to choose
>>>>>> the private key used for this app. Please try the Demo app out to
>>>>>> see how it works [4].
>>>>>
>>>>>> Integration ----------- The API is defined as AIDL interfaces in
>>>>>> org.openintents.crypto packge [2]. All files from [2] needs to be
>>>>>> included in the project. Using the CryptoServiceConnection.java [3]
>>>>>> you can choose to which crypto provider you want to connect (other
>>>>>> pgp apps can implement the interfaces). They can be queried as
>>>>>> shown in the demo app (see [3] how to query). If other crypto apps
>>>>>> implement the service, no additional code is required in k9mail per
>>>>>> provider. See [3] for a complete example for integration.
>>>>>
>>>>>> ToDos ----- - error handling needs improvements - signature results
>>>>>> needs improvements (should also contain email address) -
>>>>>> Integration in k9mail
>>>>>
>>>>>> Feedback -------- I would like to hear your opinions and directions
>>>>>> this API should take.
>>>>>
>>>>>> Regards Dominik Schürmann
>>>>>
>>>>>
>>>>>> [1] 
>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto/ICryptoService.aidl
>>>>>
>>>>>>  [2] 
>>>>>> https://github.com/dschuermann/openpgp-keychain/tree/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto
>>>>>
>>>>>>  [3] 
>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto/CryptoServiceConnection.java
>>>>>
>>>>>>  [3] 
>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/sufficientlysecure/keychain/demo/CryptoProviderDemoActivity.java
>>>>>
>>>>>>  [4] 
>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain.demo
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> _______________________________________________ Guardian-dev
>>>>>> mailing list
>>>>>
>>>>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>
>>>>>> To Unsubscribe Send email to:
>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/oliver%40flowriver.net
>>>>>
>>>>>>  You are subscribed as: oliver at flowriver.net
>>>>>
>>>> Does OpenPGP Keychain support PGP/MIME, i.e. can I take an encrypted
>>>> and signed email including the headers and feed all of it to the app
>>>> and it will return the decrypted text and the signature verification
>>>> status?
>>>> I know that gpg can do this on the desktop, not sure about the GnuPG
>>>> Android App though.
>>>
>>>> On 09/10/2013 12:45 PM, Dominik Schürmann wrote:
>>>>>>> TL;DR: Try out the new OpenPGP Keychain API: Keychain: 
>>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain
>>>>>>>
>>>>>>>
>>>> API Demo:
>>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain.demo
>>>>>>>
>>>>>>>  (also send to guardian-dev mailinglist)
>>>>>>>
>>>>>>> Long version: As discussed previously I now present my new Crypto
>>>>>>> API that I propose for integration into k9mail. All apps wanting to
>>>>>>> use this generic API just need to include the AIDL files and
>>>>>>> connect to the service. Other crypto apps can implement a service
>>>>>>> based on this AIDL definition.
>>>>>>>
>>>>>>> Design ------ The API is designed to be as easy as possible to use
>>>>>>> by apps like k9mail. The service definition defines 
>>>>>>> sign/encrypt/signAndEncrypt/decryptAndVerify [1]. As can be seen
>>>>>>> the apps themselves never need handle key ids directly. Only user
>>>>>>> ids (emails) are used to define recipients. If more than one pub
>>>>>>> key exists for an email, OpenPGP Keychain will handle the problem
>>>>>>> by showing a selection screen. Also app devs never need to fiddle
>>>>>>> with private keys. On first operation, OpenPGP Keychain shows an
>>>>>>> activity to allow or disallow access, while also allowing to choose
>>>>>>> the private key used for this app. Please try the Demo app out to
>>>>>>> see how it works [4].
>>>>>>>
>>>>>>> Integration ----------- The API is defined as AIDL interfaces in
>>>>>>> org.openintents.crypto packge [2]. All files from [2] needs to be
>>>>>>> included in the project. Using the CryptoServiceConnection.java [3]
>>>>>>> you can choose to which crypto provider you want to connect (other
>>>>>>> pgp apps can implement the interfaces). They can be queried as
>>>>>>> shown in the demo app (see [3] how to query). If other crypto apps
>>>>>>> implement the service, no additional code is required in k9mail per
>>>>>>> provider. See [3] for a complete example for integration.
>>>>>>>
>>>>>>> ToDos ----- - error handling needs improvements - signature results
>>>>>>> needs improvements (should also contain email address) -
>>>>>>> Integration in k9mail
>>>>>>>
>>>>>>> Feedback -------- I would like to hear your opinions and directions
>>>>>>> this API should take.
>>>>>>>
>>>>>>> Regards Dominik Schürmann
>>>>>>>
>>>>>>>
>>>>>>> [1] 
>>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto/ICryptoService.aidl
>>>>>>>
>>>>>>>  [2] 
>>>>>>> https://github.com/dschuermann/openpgp-keychain/tree/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto
>>>>>>>
>>>>>>>  [3] 
>>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto/CryptoServiceConnection.java
>>>>>>>
>>>>>>>  [3] 
>>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/sufficientlysecure/keychain/demo/CryptoProviderDemoActivity.java
>>>>>>>
>>>>>>>  [4] 
>>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain.demo
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________ Guardian-dev
>>>>>>> mailing list
>>>>>>>
>>>>>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>
>>>>>>> To Unsubscribe Send email to:
>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>>>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/oliver%40flowriver.net
>>>>>>>
>>>>>>>  You are subscribed as: oliver at flowriver.net
>>>>>>>
>>>
>>
>>
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>
>> You are subscribed as: hans at guardianproject.info
>>
> 
> 
> 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/oliver%40flowriver.net
> 
> You are subscribed as: oliver at flowriver.net
> 


More information about the Guardian-dev mailing list