[cryptography] OpenPGP in Python: Security evaluations?

Fabio Pietrosanti (naif) - lists lists at infosecurity.ch
Tue Apr 21 06:34:39 EDT 2015


Hi all,

for any developer willing to use OpenPGP with a python developed
application currently the main choice is to go with python-gnupg, that's
a wrapper on top of GnuPG binary (https://pythonhosted.org/python-gnupg/).

That's architecturally a very bad choice, plenty of constraint (for
example you need to enable "/bin/sh" execution under apparmor sandboxing
profile of a python application under Linux).

Currently there are only two pure-python OpenPGP implementation:

* PGPy: https://github.com/SecurityInnovation/PGPy

* OpenPGP-Python: https://github.com/singpolyma/OpenPGP-Python

Both stacks rely on Python Cryptography for Cryptographic primitives
implementations https://pypi.python.org/pypi/cryptography .

We're considering switching away from GnuPG for the server-side PGP
processing and would like to ask an opinion to the list about those
implementations.

Are there anyone engaging in metrics to evaluate the security of an
OpenPGP implementation and/or already evaluated PGPy/OpenPGP-Python ?


-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org -
https://ahmia.fi


More information about the cryptography mailing list