Well, I just received an eMail form Kyle Huff, author of gpgAuth in FireGPG...:
Buanzo, (and everyone else getting this too.)
I have reviewed the links you sent me Buanzo, and here is the reality;
I think gpgAuth is pretty much an obsolete approach to GPG web
authentication in light of maopenpgp. (In reality, gpgAuth was always
obsolete, we just didn't know it. Where was all this info when I was
looking for a GPG-HTTP authentication method. It would have been nice
to know this before we started gpgAuth.)
When we started this project we wanted to first prove the concept in a
plug-and-play fashion that works at the web-application level (thus the
mod_python implementation), and from there move on to the web-server
level. What you have with maopenpgp is essentially the end goal we
wanted to produce with gpgAuth (the authentication working at the
web-server level, agnostic to the web-application language).
So I guess what I am saying is I do not see a value in continuing the
development of gpgAuth, as your project seems to meet our goals
(symmetric GPG authentication for apache, with plans for IIS, an RFC
with the IETF blessing, etc).
So I am having difficulty understanding how gpgAuth is useful to
maopenpgp, as Python/Perl/Ruby/ASP/etc will have access to the
headers/server variables to allow the web-application to use maopenpgp
to authenticate users and allow access to protected/per-user content.
Additionally, I think the gpgAuth integration into FireGPG also becomes
obsolete, as there is already a method of handling maopenpgp for
Mozilla (Enigform).
Unless I do not understand maopenpgp, I think maopenpgp supersedes
gpgAuth all-together, and sadly, I do not see a point in continuing
with the gpgAuth project as the only benefit to gpgAuth that I can
see, is that the web-server need only support mod_python to work.
Thoughts anybody?
Kyle L. Huff
And this is my reply:
Buanzo escribió:Kyle L. Huff wrote:
> > Buanzo, (and everyone else getting this too.)
Hey Kyle. I publicly apologize for accidentally deleting your account when you subscribed to the
buanzo.com.ar forums. Sorry, it was a busy week deleting spammers (I was using phpBB Beta 5, I'm not
at rc2. Beta5 had some captcha issues, so I went into user-is-admin-activated mode).
> > I think gpgAuth is pretty much an obsolete approach to GPG web
> > authentication in light of maopenpgp. (In reality, gpgAuth was always
> > obsolete, we just didn't know it. Where was all this info when I was
> > looking for a GPG-HTTP authentication method. It would have been nice
> > to know this before we started gpgAuth.)
I always used "OpenPGP" to refer to the open standard, instead of gpg or gnupg. You probably missed
it because of that mistake on my behalf. I should have granted the gpg term more space, as it is the
only OpenPGP implementation I'm currently supporting.
> > What you have with maopenpgp is essentially the end goal we
> > wanted to produce with gpgAuth (the authentication working at the
> > web-server level, agnostic to the web-application language).
I think of m_a_o and Enigform as "OpenPGP extensions to HTTP". My initial goal was identity and
request integrity, but today is more of a general framework.
> > So I am having difficulty understanding how gpgAuth is useful to
> > maopenpgp, as Python/Perl/Ruby/ASP/etc will have access to the
> > headers/server variables to allow the web-application to use maopenpgp
> > to authenticate users and allow access to protected/per-user content.
I don't like the idea of gpgAuth dying, but rather converting it into an authentication methodology
built over Enigform/m_a_o if you prefer. I mean, you are right: Python/PHP/etc have access to
special headers, but there is no solid implementation of a registration mechanism, for example.
gpgAuth could be the missing link, maybe?
What do you people think?