Google's posting today addresses this point, I think:
https://code.google.com/p/end-to-end/
"When we started work on End-To-End, there was no JavaScript crypto library that met our needs, so we built our own. During development we took into consideration all the criticisms and risks that we are aware of, and invested effort to mitigate these risks as much as possible... We hold ourselves to a higher standard; we started from scratch and created a testable, modern, cryptographic library. We created this new core library for End-To-End with support for BigInteger, modular arithmetic, Elliptic Curve, as well as symmetric and public-key encryption. Having done that, we then developed an OpenPGP implementation on top of it..."
It's possible, but from my conversations with Google engineers in the past I'd guess (with no inside knowledge) that it was the result of a serious security evaluation of existing code.
> Also, the account you're posting from was created 22 minutes ago and has done nothing but post criticisms of today's announcement. Coincidence? :)
Declan, nothing but respect for all your writings but he's got to make an account one day and if he's critical but otherwise polite and seems to be willing to concede the point why attack like that? It might be an account created specifically to protect a reputation. As far as I can see his concerns are valid and the answers are to the point. I'd rather see someone be extra critical when it comes to new crypto stuff than too lax.
It's great to see them making the effort, but why not notify the OpenPGP.js with the outcome of a security evaluation? (I'm not aware of any other active javascript openpgp implementation, so I assume that's what you're referring to.) I've been following OpenPGP.js for a while and I've not seen anything from Google.
OpenPGP.js is not an amazing code base, I know this for sure. Perhaps a rewrite was the only way to salvage it.
I wonder why they didn't release the library independent from a browser extension. A brief look at the directory structure makes it seem that it wouldn't be too hard to decouple the OpenPGP implementation from the extension.
In any case, this is a big win for privacy. Reinventing the wheel or not.
What's the implication there? At the end of the day it sounds like they simply didn't get involved in an open-source effort, in which case the NIH critique stands.
https://code.google.com/p/end-to-end/ "When we started work on End-To-End, there was no JavaScript crypto library that met our needs, so we built our own. During development we took into consideration all the criticisms and risks that we are aware of, and invested effort to mitigate these risks as much as possible... We hold ourselves to a higher standard; we started from scratch and created a testable, modern, cryptographic library. We created this new core library for End-To-End with support for BigInteger, modular arithmetic, Elliptic Curve, as well as symmetric and public-key encryption. Having done that, we then developed an OpenPGP implementation on top of it..."