Hacker News new | past | comments | ask | show | jobs | submit login

FAQ is a bit confusing. They say there's only one keyring, but at https://github.com/google/end-to-end/wiki/Keyring they admit it was not a great idea and that they're splitting the responsibilities.

Based on the last planned implementation (External Key Manager (GnuPG bridge, other hardware, network oracle etc..)), I hope it will "just work" with hardware keys.




One of the developers here:

Yes, the Keyring reimplementation is in progress and ends very soon. After the redesign, applications built on top of E2E library will be able to use different sources of both public and private keys (so it's easy to do integrations with GnuPG, hardware keys HKP, or e.g. Facebook).

The API will be similar to what's in https://github.com/google/end-to-end/wiki/Keyring.


One thing that is currently missing from E2E (as far as I can tell having played with it a little in the last month) is any kind of web of trust. When I import a key, I can't tell if it has been signed by me or someone I trust. Is this on the radar for the UI after the Keyring reimplementation is finished?

At the moment, what we've suggested at our work is that people manage keys in GPG and then only export keys into E2E if they trust them. But it would be nice be able to do those kinds of things in E2E (or at least be able to tell if a key was signed by me).

BTW, thanks for working on this!


See https://github.com/google/end-to-end/wiki/Key-Distribution. In short, we don't invest much into WoT.


After giving that a read, I'm happy that there are people way smarter than me working on these problems. Kudos to your efforts!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: