Hello,
my name is Ralf Senderek, I'm a secure solutions designer. Linux is my operating system since 1994. Over time I have developed and released security related analysis and open source software on my personal web site.
Recently, since Jan 2015, I am working on a secure message system called Crypto Bone which combines usability and security. I tried to make this system as usable as possible with an new approach to encryption key management, because I realized, that complex key management is the main reason for ordinary users not to use encryption. And I want to change that.
On the other hand, I need to secure the encryption keys in a way that enables the ordinary user to take control himself. The result - the cryptobone - is now finished and I thought I should package this software for the Fedora repository.
So I requested a review of the new cryptobone package: https://bugzilla.redhat.com/show_bug.cgi?id=1310092
And, of course, I'm seeking a sponsor for this package, because I'm a new contributor.
During the development of the cryptobone software, I decided to reduce the cryptographic core to a bare minimum and to use Peter Gutmann's cryptlib as the only dependency for my own crypto code. I hope that including cryptlib in my own package will enrich the Fedora code base. And I hope to be able to make secure messaging a reality for many users who need it.
Thank you for your interest and feedback.
Ralf.
PGP key: https://senderek.ie/keys/encryptionkey.asc (2546174A)
Ralf Senderek wrote:
During the development of the cryptobone software, I decided to reduce the cryptographic core to a bare minimum and to use Peter Gutmann's cryptlib as the only dependency for my own crypto code. I hope that including cryptlib in my own package will enrich the Fedora code base. And I hope to be able to make secure messaging a reality for many users who need it.
Why do you bundle cryptlib rather than simply packaging it as a library that other packages could use, too?
Kevin Kofler
This is an obvious idea and I'm willing to do that.
But there are at least two reasons why I shouldn't do that as a first step.
The Crypto Bone is designed to use only a tiny fraction of the cryptlib system, the symmetric encryption framework, because RSA/PKI and such isn't necessary for the key management and the source code should be as auditable as possible. Even though I include the full cryptlib at the moment with no changes or patches to the source code, I only need a much reduced, local version. That's why I provide the cryptlib so-file in the location where it is needed by the cryptobone package for exclusive use by the root user.
As you may know the cryptlib source code is designed to run everywhere and provides a number of test programs (and an excellent documentation too) so that providing a separate library package must include all these excellent stuff. I'm willing to tackle this task when my first package is done.