gmane.comp.encryption.gpg.gnutls.devel

Daniel Kahn Gillmor | 16 Jun 07:54

Face

OpenPGP certificate/key management thoughts about function re-organization and cleanup

Hey folks--

This message describes some thoughts about the GnuTLS OpenPGP API (in
particular, the bits that used to be OpenCDK).  These thoughts have
come after i've played with the library for a while, but they may
still be ill-informed.  I'd be happy to have flaws in my reasoning
pointed out.  My first observation was dismay at just how many
functions were specifically available for the OpenPGP key management
functionality.  The OpenPGP function reference [0] is enormous and
difficult to wade through.  Furthermore, much functionality seems
duplicated (or quadruplicated!) across different functions, which can
make it difficult to write clean, simple code with the library.

What follows are some proposals that might simplify and streamline the
set of functions available, which would make it easier for a skimming
developer to get a sense of the main functionality offered by the
library, and would facilitate writing tighter code in scenarios where
certain aspects might be better treated as abstractions.

Primary Keys vs. Subkeys
------------------------

There are currently a lot of duplicated functions which deal with the
subkey and primary keys differently.  For example:

 gnutls_openpgp_crt_get_pk_algorithm()
 gnutls_openpgp_crt_get_subkey_pk_algorithm()

These behave exactly the same way, but the primary key is sort of
special-cased out.

(Continue reading)

Simon Josefsson | 16 Jun 12:07

Re: OpenPGP certificate/key management thoughts about function re-organization and cleanup

Daniel Kahn Gillmor <dkg-debian.org <at> fifthhorseman.net> writes:

> Hey folks--
>
> This message describes some thoughts about the GnuTLS OpenPGP API (in
> particular, the bits that used to be OpenCDK).  These thoughts have
> come after i've played with the library for a while, but they may
> still be ill-informed.  I'd be happy to have flaws in my reasoning
> pointed out.  My first observation was dismay at just how many
> functions were specifically available for the OpenPGP key management
> functionality.

Hi!  Thanks for discussing this.

> The OpenPGP function reference [0] is enormous and difficult to wade
> through. Furthermore, much functionality seems duplicated (or
> quadruplicated!)  across different functions, which can make it
> difficult to write clean, simple code with the library.

Agreed.

> What follows are some proposals that might simplify and streamline the
> set of functions available, which would make it easier for a skimming
> developer to get a sense of the main functionality offered by the
> library, and would facilitate writing tighter code in scenarios where
> certain aspects might be better treated as abstractions.
>
> Primary Keys vs. Subkeys
> ------------------------
>

(Continue reading)

Nikos Mavrogiannopoulos | 16 Jun 15:53

Re: OpenPGP certificate/key management thoughts about function re-organization and cleanup

On Mon, Jun 16, 2008 at 12:07 PM, Simon Josefsson <simon <at> josefsson.org> wrote:

>> Primary Keys vs. Subkeys
>> ------------------------
>>
>> There are currently a lot of duplicated functions which deal with the
>> subkey and primary keys differently.  For example:
>>
>>  gnutls_openpgp_crt_get_pk_algorithm()
>>  gnutls_openpgp_crt_get_subkey_pk_algorithm()
>>
>> These behave exactly the same way, but the primary key is sort of
>> special-cased out.
>>
>> When writing key management code, one often abstracts away the
>> differences between primary keys and subkeys, and needs to just walk
>> through each key separately.  Having to call different functions for
>> the subkey than for the primary key is awkward and makes for a lot of
>> code duplication, which is room for error.
>>
>> We could significantly reduce the number of functions exposed by
>> GnuTLS if we were to collapse these pairs of functions into a single
>> function which takes a key index.  Key index 0 would be the primary
>> key, key index 1 would be the first subkey, etc.  This would allow
>> much simpler looping constructs over a keyset, and would make the
>> documentation easier to scan and understand.
>
> I think this suggestion makes sense, although I'm not an OpenPGP expert.
> I have also found the number of APIs related to keys+subkeys rather
> overwhelming.

(Continue reading)

Simon Josefsson | 16 Jun 16:03

Re: OpenPGP certificate/key management thoughts about function re-organization and cleanup

"Nikos Mavrogiannopoulos" <n.mavrogiannopoulos <at> gmail.com> writes:

> On Mon, Jun 16, 2008 at 12:07 PM, Simon Josefsson <simon <at> josefsson.org> wrote:
>
>>> Primary Keys vs. Subkeys
>>> ------------------------
>>>
>>> There are currently a lot of duplicated functions which deal with the
>>> subkey and primary keys differently.  For example:
>>>
>>>  gnutls_openpgp_crt_get_pk_algorithm()
>>>  gnutls_openpgp_crt_get_subkey_pk_algorithm()
>>>
>>> These behave exactly the same way, but the primary key is sort of
>>> special-cased out.
>>>
>>> When writing key management code, one often abstracts away the
>>> differences between primary keys and subkeys, and needs to just walk
>>> through each key separately.  Having to call different functions for
>>> the subkey than for the primary key is awkward and makes for a lot of
>>> code duplication, which is room for error.
>>>
>>> We could significantly reduce the number of functions exposed by
>>> GnuTLS if we were to collapse these pairs of functions into a single
>>> function which takes a key index.  Key index 0 would be the primary
>>> key, key index 1 would be the first subkey, etc.  This would allow
>>> much simpler looping constructs over a keyset, and would make the
>>> documentation easier to scan and understand.
>>
>> I think this suggestion makes sense, although I'm not an OpenPGP expert.

(Continue reading)

Werner Koch | 16 Jun 16:30

Re: OpenPGP certificate/key management thoughts about function re-organization and cleanup

On Mon, 16 Jun 2008 15:53, n.mavrogiannopoulos <at> gmail.com said:

> This is quite unavoidable. I wanted to have a consistent API for X.509
> and Openpgp keys. If this changes consistency is pretty much gone!

It is probably too late now but you might want to look at the gpgme
interface for keys.  It is now in active use for 5 years.  For example,
retrieving all fingerprints of a key is a mere list walking.

By having the gnutls API similar to the one of gpgme it will make the
life of developers much easier.  You could just take the structure
definitions out of gpgme and use the same definition under a different
name in gnutls.

Just my 2 cents,

  Werner

--

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

Simon Josefsson | 16 Jun 19:35

Re: OpenPGP certificate/key management thoughts about function re-organization and cleanup

Werner Koch <wk <at> gnupg.org> writes:

> On Mon, 16 Jun 2008 15:53, n.mavrogiannopoulos <at> gmail.com said:
>
>> This is quite unavoidable. I wanted to have a consistent API for X.509
>> and Openpgp keys. If this changes consistency is pretty much gone!
>
> It is probably too late now but you might want to look at the gpgme
> interface for keys.  It is now in active use for 5 years.  For example,
> retrieving all fingerprints of a key is a mere list walking.
>
> By having the gnutls API similar to the one of gpgme it will make the
> life of developers much easier.  You could just take the structure
> definitions out of gpgme and use the same definition under a different
> name in gnutls.

Making it simple for gpgme applications to use gnutls' openpgp stuff
would be very cool.  Some alignment of the APIs here may be possible.
Is GPGME under the LGPL so it can be used by libgnutls?

Alas, I don't have time to work on it any time soon. :(

/Simon

Werner Koch | 17 Jun 21:18

Re: OpenPGP certificate/key management thoughts about function re-organization and cleanup

On Mon, 16 Jun 2008 19:35, simon <at> josefsson.org said:

> would be very cool.  Some alignment of the APIs here may be possible.
> Is GPGME under the LGPL so it can be used by libgnutls?

Yes.

Shalom-Salam,

   Werner

--

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

Simon Josefsson | 18 Jun 10:51

Re: OpenPGP certificate/key management thoughts about function re-organization and cleanup

Werner Koch <wk <at> gnupg.org> writes:

> On Mon, 16 Jun 2008 19:35, simon <at> josefsson.org said:
>
>> would be very cool.  Some alignment of the APIs here may be possible.
>> Is GPGME under the LGPL so it can be used by libgnutls?
>
> Yes.

Great.  Smoother integration between GPGME and gnutls's openpgp stuff
would be useful indeed, and seems feasible.  Alas, too little time.

Possibly it is simplest to do this using the sign callback interface in
GnuTLS.  The current callback API is a bit limited, and I don't know if
anyone is using it seriously, so it would need to be documented and
tested better.

/Simon

Return

Return to gmane.comp.encryption.gpg.gnutls.devel.

Advertisement

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane