some opencdk history

Daniel Kahn Gillmor at
Tue Jul 8 17:52:27 CEST 2008

On Sat 2008-07-05 01:21:56 -0700, Nikos Mavrogiannopoulos wrote:

>  I've finally found some time to check your patch and I have some
> remarks. The first is about patches in opencdk. The opencdk library
> included in gnutls is a crippled version of the "full" opencdk
> library by Timo Schulz. This crippling was done for mainly two
> reasons. The full opencdk library contained GPL code that forced us
> to include the openpgp support only in libextra, and the second is
> that we only wanted to include the parts of opencdk we used.

Cool, thanks for the explanation, Nikos.  Are you saying that the
OpenPGP pieces of GnuTLS themselves are now *not* in libextra, then?
That they currently fall under the LGPL instead?  I know that there
has been a lot of changes recently, but i haven't followed them
closely enough to know here.

Was it necessary to remove the pieces that were removed *because* they
were only under the GPL, not the LGPL?  

Was there a copyright assignment over the OpenCDK sources to the FSF?
If so, is the FSF willing to consider re-licensing the code under LGPL
so that we can include all the functionality instead of just part of

> Thus if you or anyone wants to add anything to gnutls' opencdk it
> might be appropriate to check the older opencdk library if it
> contains the code and is under LGPL. This still will require some
> porting (since now the included opencdk uses gnutls' internal api)
> but that wouldn't be that difficult.

I think you're suggesting to check the source of the older opencdk if
anything seems like it is missing from the stripped-down version.
Thanks for the pointer; i'll certainly do that.

> About the specific patch, it is quite useful, but since it does not
> affect the gnutls' API or add anything to it, I'll keep from
> applying it until it is complete.

Actually, the patch as it stands does add something to the
capabilities of libgnutls: consider the case where you have a
passphrase-encrypted OpenPGP secret key.  Without the patch, GnuTLS
will actually choke on the key itself and be unable to even create a
gnutls_openpgp_privkey_t from the data (encountering the S2K chunk in
the protected key caused a CDK_Not_Implemented).

With the patch, GnuTLS can create a gnutls_openpgp_privkey_t from such
a key.  It won't be able to manipulate the key cleanly for any purpose
that requires access to the secret MPIs themselves because they are
locked, but GnuTLS will still be able to do all of the pubkey
functions with that key.  For example, It should still be possible to
get the fingerprint of the key without knowing the secret MPIs.

I consider this to be a useful step (and a bugfix worth pushing into
the 2.4.x lines in its own right).  I'm also working on trying to take
the patches one level further, as you suggest, but i think that
proposed change stands alone.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20080708/121fa383/attachment.pgp>

More information about the Gnutls-devel mailing list