Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Contract 'Mailvelope development' 2018 (mw18)
Scheduled contract time line: January 2018 - January 2019.
- Extend Mailvelope to provide end-to-end encryption for HTML forms
- Improve OpenPGP.js to provide all features necessary to be compatible with GnuPG on OpenPGP and likely updates.
- Design and implement a secure way of exchanging public keys with Mailvelope.
- Pass an external security review.
The team consists of the German companies Intevation GmbH and Mailvelope GmbH. As subcontractors Passbolt, g10 Code and Tankred Hase help implementing the features in Mailvelope, Openpgp.js and GnuPG. The subcontractor Cure53 helps verifing the security properties of the design and implementations of this contract. During the project Protonmail also got subcontractor and implemented most features in OpenPGP.js
2018-11-15: The development phase of this project is almost done. Current results:
Is included in GPGME releases since 1.12.0 from 2018-10-09
The featureset of OpenPGP.js is now more compatible with the OpenPGP reference implementation GnuPG. New features are
- ECC support for P256, P384, P521, SECP256K1, Ed25519/Curve25519 and NIST curves
- ECC support for Brainpool curves
- Modern implementation of BigInteger and public key algorithms
- bzip2 support (decompression)
- Revocation certificates
- AEAD (EAX and OCB)
- V5 keys
Is included in OpenPGP.js releases v4.2.0 from 2018-11-05 or newer
Mailvelope got a redesign of the keyring presentation including a new keyring for GnuPG as crypto backend if GnuPG is natively available on the system. To be able to find public keys of recipients more automatically, Mailvelope supports the WKD public key lookup using either OpenPGP.js or GnuPG.
As a completely new feature Mailvelope provides encryption of web forms embedded in a webpage. The shown form is a signed HTML element that will be encrypted before submission. Only the recipient is able to decrypt the submitted data, which allows for somebody else to operate the web server. To have an easier way to create a signed form element, Mailvelope provides a tool to convert an HTML form into a Mailvelope compatible encrypted form element that can be embedded in any webpage.
This is published with Mailvelope 3.0 beta versions and is to be included with the upcoming Mailvelope 3.0 release (planned for 2018-11-19).