[guardian-dev] OpenPGP Keychain 2.1 with new API

Oliver Gasser oliver at flowriver.net
Mon Sep 16 09:44:12 EDT 2013 

Hi Dominik,

first of all I appreciate your work on OpenPGP Keychain and k9mail
intergration very much. Some questions regarding the API arise:

On 09/14/2013 02:08 PM, Dominik Schürmann wrote:
> Hi,
> 
> I don't agree fully on your approach to think more about the API and the
> implementation. I am actively working on a better user experience for
> OpenPGP on Android and can't seriously recommend APG to anyone (No PRNG
> fixes for example, serious bugs (selection of multiple pub keys is
> broken due to android regression bugs).
> 
> But that said, I think the current API should support PGP/MIME later
> without problems.
> 
> Please look at
> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain/src/org/openintents/openpgp/IOpenPgpService.aidl

Regarding PGP/MIME and the API's (future) support for it: Did you
envision that PGP/MIME encryption/signing would also be handled by
IOpenPgpService.signAndEncrypt()? How would you signal this (parameter
or maybe different function "signAndEncryptMime()")?

> 
> The functions are simple and require a byte array for simplicity (I
> considered content provider Uris but that would complicate the use for
> app devs).
> The actual parsing, as already said, is solely done in OpenPGP Keychain
> (or other openpgp providers). Also all other actions that require user
> input or decisions are handled by OpenPGP Keychain.
> 
> I need actual feeback regarding the interaface and parceable classes :)
> 
> What we need to agree on are for example:
> - signature status values in
> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain/src/org/openintents/openpgp/OpenPgpSignatureResult.java

The comment of IOpenPgpService.decryptAndVerify() states, that it
handles also the case of signature only. What about encryption only?
There should be something like
OpenPgpSignatureResult.SIGNATURE_NOT_AVAILABLE. Is this what
OpenPgpSignatureResult.SIGNATURE_UNKNOWN is for? Some more documentation
about the constants would be great :-)

> - error ids in
> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain/src/org/openintents/openpgp/OpenPgpError.java
> 
> Regards
> Dominik
> 

Regards,
Oliver

> On 14.09.2013 12:31, Oliver Gasser wrote:
>> Hi,
>>
>> On 09/13/2013 10:50 PM, Hans-Christoph Steiner wrote:
>>>
>>> It seems to me that the OpenPGP AIDL API should be generic enough to work for
>>> both inline PGP and PGP/MIME.  I think we should consider that now.  What
>>> would K-9 need from the OpenPGP API in order to support PGP/MIME?
>>
>> I agree with Hans-Christoph on this one. It is good to take all
>> possibilities of an API specification into consideration before actually
>> implementing it. Otherwise we continually have to change the API _and_
>> the implementation.
>>
>> So I advocate to have a clear and comprehensive API specification
>> (including PGP/MIME). This does not mean that OpenPGP Keychain has to
>> support PGP/MIME right away. It just means that we lay out the data
>> formats and functions.
>>
>>>
>>> From my understanding of how PGP/MIME works, K-9 just needs to split out the
>>> MIME parts at the right borders, then submit the bits to the OpenPGP API for
>>> processing.  So for example, a signed message would be split into the signed
>>> body and the signature, and then those two bits would be sent to the OpenPGP API.
>>
>> This would be one possibility, to do some parsing on the side of k9mail
>> and parse and submit the single parts of the MIME message to the API.
>>
>> Another option is to hand the API the complete source of the mail and
>> let it do the parsing, decryption, verification as described in the RFC
>> [1]. This option would make the separation between the OpenPGP API and
>> the mail client clearer since everything related to OpenPGP including
>> PGP/MIME is done in the OpenPGP provider. GnuPG is working exactly like
>> this on the Desktop side of things (I suppose also on Android).
>>
>>>
>>> For as fast as possible, we have K-9 + APG working now, with all its known issues.
>>
>> Exactly. If we propose a new API it should include PGP/MIME from the start.
>>
>>>
>>> .hc
>>>
>>
>> [1] http://tools.ietf.org/html/rfc3156
>>
>>> On 09/13/2013 03:34 PM, Dominik Schürmann wrote:
>>>> Hi Oliver,
>>>>
>>>> I would be happy if someone would implement MIME support in k9mail to
>>>> enable PGP/MIME.
>>>> Currently my goal is different:
>>>> - I think we need to get to something that works as fast as possible due
>>>> to recent trust problems regarding infrastructure ;)
>>>> - So I will focus on support for inline PGP with the new remote service API.
>>>> - Newer API versions can then also include support for PGP/MIME. It's no
>>>> problem to query for an API version and use different interface definitions.
>>>>
>>>> But MIME support is currently out of my scope due to time constraints. I
>>>> have to focus on other bugs and design issues.
>>>>
>>>> That said, every contributor is welcome. If you have questions about the
>>>> code in OpenPGP Keychain, reach me via Jabber (email=jabber id).
>>>>
>>>> Regards
>>>> Dominik
>>>>
>>>> On 13.09.2013 17:26, Oliver Gasser wrote:
>>>>> Hi,
>>>>>
>>>>> I think that PGP/MIME support in the new API would definitely help its
>>>>> adoption (especially in k9mail). This feature would be a real benefit
>>>>> which you could point developers and users to: In combination with
>>>>> OpenPGP Keychain (or also GnuPG on Android) k9mail is finally able to
>>>>> work as a fully-enabled PGP mail client.
>>>>>
>>>>> So my idea is to first design a viable OpenPGP API including PGP/MIME as
>>>>> an essential part. And once we are happy with that we can implement both
>>>>> the k9mail part as well as the OpenPGP Keychain part.
>>>>>
>>>>> I of course offer my help in this process.
>>>>>
>>>>> Regards,
>>>>> Oliver
>>>>>
>>>>>
>>>>> On 09/13/2013 05:04 PM, Dominik Schürmann wrote:
>>>>>> Hi Oliver,
>>>>>
>>>>>> currently no. We are working on getting the new API for PGP/INLINE into
>>>>>> k9mail before moving on with PGP/MIME.
>>>>>
>>>>>> Regards
>>>>>> Dominik
>>>>>
>>>>>> On 13.09.2013 16:50, Oliver Gasser wrote:
>>>>>
>>>>>
>>>>>> On 13.09.2013 16:50, Oliver Gasser wrote:
>>>>>>> Does OpenPGP Keychain support PGP/MIME, i.e. can I take an encrypted
>>>>>>> and signed email including the headers and feed all of it to the app
>>>>>>> and it will return the decrypted text and the signature verification
>>>>>>> status?
>>>>>>> I know that gpg can do this on the desktop, not sure about the GnuPG
>>>>>>> Android App though.
>>>>>>>
>>>>>>> On 09/10/2013 12:45 PM, Dominik Schürmann wrote:
>>>>>>>> TL;DR: Try out the new OpenPGP Keychain API: Keychain: 
>>>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain
>>>>>>>
>>>>>>>
>>>>>>> API Demo:
>>>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain.demo
>>>>>>>
>>>>>>>>  (also send to guardian-dev mailinglist)
>>>>>>>
>>>>>>>> Long version: As discussed previously I now present my new Crypto
>>>>>>>> API that I propose for integration into k9mail. All apps wanting to
>>>>>>>> use this generic API just need to include the AIDL files and
>>>>>>>> connect to the service. Other crypto apps can implement a service
>>>>>>>> based on this AIDL definition.
>>>>>>>
>>>>>>>> Design ------ The API is designed to be as easy as possible to use
>>>>>>>> by apps like k9mail. The service definition defines 
>>>>>>>> sign/encrypt/signAndEncrypt/decryptAndVerify [1]. As can be seen
>>>>>>>> the apps themselves never need handle key ids directly. Only user
>>>>>>>> ids (emails) are used to define recipients. If more than one pub
>>>>>>>> key exists for an email, OpenPGP Keychain will handle the problem
>>>>>>>> by showing a selection screen. Also app devs never need to fiddle
>>>>>>>> with private keys. On first operation, OpenPGP Keychain shows an
>>>>>>>> activity to allow or disallow access, while also allowing to choose
>>>>>>>> the private key used for this app. Please try the Demo app out to
>>>>>>>> see how it works [4].
>>>>>>>
>>>>>>>> Integration ----------- The API is defined as AIDL interfaces in
>>>>>>>> org.openintents.crypto packge [2]. All files from [2] needs to be
>>>>>>>> included in the project. Using the CryptoServiceConnection.java [3]
>>>>>>>> you can choose to which crypto provider you want to connect (other
>>>>>>>> pgp apps can implement the interfaces). They can be queried as
>>>>>>>> shown in the demo app (see [3] how to query). If other crypto apps
>>>>>>>> implement the service, no additional code is required in k9mail per
>>>>>>>> provider. See [3] for a complete example for integration.
>>>>>>>
>>>>>>>> ToDos ----- - error handling needs improvements - signature results
>>>>>>>> needs improvements (should also contain email address) -
>>>>>>>> Integration in k9mail
>>>>>>>
>>>>>>>> Feedback -------- I would like to hear your opinions and directions
>>>>>>>> this API should take.
>>>>>>>
>>>>>>>> Regards Dominik Schürmann
>>>>>>>
>>>>>>>
>>>>>>>> [1] 
>>>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto/ICryptoService.aidl
>>>>>>>
>>>>>>>>  [2] 
>>>>>>>> https://github.com/dschuermann/openpgp-keychain/tree/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto
>>>>>>>
>>>>>>>>  [3] 
>>>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto/CryptoServiceConnection.java
>>>>>>>
>>>>>>>>  [3] 
>>>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/sufficientlysecure/keychain/demo/CryptoProviderDemoActivity.java
>>>>>>>
>>>>>>>>  [4] 
>>>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain.demo
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> _______________________________________________ Guardian-dev
>>>>>>>> mailing list
>>>>>>>
>>>>>>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>
>>>>>>>> To Unsubscribe Send email to:
>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>>>>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/oliver%40flowriver.net
>>>>>>>
>>>>>>>>  You are subscribed as: oliver at flowriver.net
>>>>>>>
>>>>>> Does OpenPGP Keychain support PGP/MIME, i.e. can I take an encrypted
>>>>>> and signed email including the headers and feed all of it to the app
>>>>>> and it will return the decrypted text and the signature verification
>>>>>> status?
>>>>>> I know that gpg can do this on the desktop, not sure about the GnuPG
>>>>>> Android App though.
>>>>>
>>>>>> On 09/10/2013 12:45 PM, Dominik Schürmann wrote:
>>>>>>>>> TL;DR: Try out the new OpenPGP Keychain API: Keychain: 
>>>>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain
>>>>>>>>>
>>>>>>>>>
>>>>>> API Demo:
>>>>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain.demo
>>>>>>>>>
>>>>>>>>>  (also send to guardian-dev mailinglist)
>>>>>>>>>
>>>>>>>>> Long version: As discussed previously I now present my new Crypto
>>>>>>>>> API that I propose for integration into k9mail. All apps wanting to
>>>>>>>>> use this generic API just need to include the AIDL files and
>>>>>>>>> connect to the service. Other crypto apps can implement a service
>>>>>>>>> based on this AIDL definition.
>>>>>>>>>
>>>>>>>>> Design ------ The API is designed to be as easy as possible to use
>>>>>>>>> by apps like k9mail. The service definition defines 
>>>>>>>>> sign/encrypt/signAndEncrypt/decryptAndVerify [1]. As can be seen
>>>>>>>>> the apps themselves never need handle key ids directly. Only user
>>>>>>>>> ids (emails) are used to define recipients. If more than one pub
>>>>>>>>> key exists for an email, OpenPGP Keychain will handle the problem
>>>>>>>>> by showing a selection screen. Also app devs never need to fiddle
>>>>>>>>> with private keys. On first operation, OpenPGP Keychain shows an
>>>>>>>>> activity to allow or disallow access, while also allowing to choose
>>>>>>>>> the private key used for this app. Please try the Demo app out to
>>>>>>>>> see how it works [4].
>>>>>>>>>
>>>>>>>>> Integration ----------- The API is defined as AIDL interfaces in
>>>>>>>>> org.openintents.crypto packge [2]. All files from [2] needs to be
>>>>>>>>> included in the project. Using the CryptoServiceConnection.java [3]
>>>>>>>>> you can choose to which crypto provider you want to connect (other
>>>>>>>>> pgp apps can implement the interfaces). They can be queried as
>>>>>>>>> shown in the demo app (see [3] how to query). If other crypto apps
>>>>>>>>> implement the service, no additional code is required in k9mail per
>>>>>>>>> provider. See [3] for a complete example for integration.
>>>>>>>>>
>>>>>>>>> ToDos ----- - error handling needs improvements - signature results
>>>>>>>>> needs improvements (should also contain email address) -
>>>>>>>>> Integration in k9mail
>>>>>>>>>
>>>>>>>>> Feedback -------- I would like to hear your opinions and directions
>>>>>>>>> this API should take.
>>>>>>>>>
>>>>>>>>> Regards Dominik Schürmann
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [1] 
>>>>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto/ICryptoService.aidl
>>>>>>>>>
>>>>>>>>>  [2] 
>>>>>>>>> https://github.com/dschuermann/openpgp-keychain/tree/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto
>>>>>>>>>
>>>>>>>>>  [3] 
>>>>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/openintents/crypto/CryptoServiceConnection.java
>>>>>>>>>
>>>>>>>>>  [3] 
>>>>>>>>> https://github.com/dschuermann/openpgp-keychain/blob/master/OpenPGP-Keychain-API-Demo/src/org/sufficientlysecure/keychain/demo/CryptoProviderDemoActivity.java
>>>>>>>>>
>>>>>>>>>  [4] 
>>>>>>>>> https://play.google.com/stor/apps/details?id=org.sufficientlysecure.keychain.demo
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________ Guardian-dev
>>>>>>>>> mailing list
>>>>>>>>>
>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>
>>>>>>>>> To Unsubscribe Send email to:
>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>>>>>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/oliver%40flowriver.net
>>>>>>>>>
>>>>>>>>>  You are subscribed as: oliver at flowriver.net
>>>>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Guardian-dev mailing list
>>>>
>>>> Post: Guardian-dev at lists.mayfirst.org
>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>
>>>> To Unsubscribe
>>>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>
>>>> You are subscribed as: hans at guardianproject.info
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Guardian-dev mailing list
>>>
>>> Post: Guardian-dev at lists.mayfirst.org
>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>
>>> To Unsubscribe
>>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/oliver%40flowriver.net
>>>
>>> You are subscribed as: oliver at flowriver.net
>>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/dominik%40dominikschuermann.de
>>
>> You are subscribed as: dominik at dominikschuermann.de
> 
> 
> 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/oliver%40flowriver.net
> 
> You are subscribed as: oliver at flowriver.net
>

More information about the Guardian-dev mailing list