It's possible, but from my conversations with Google engineers in the past I'd guess (with no inside knowledge) that it was the result of a serious security evaluation of existing code.
> Also, the account you're posting from was created 22 minutes ago and has done nothing but post criticisms of today's announcement. Coincidence? :)
Declan, nothing but respect for all your writings but he's got to make an account one day and if he's critical but otherwise polite and seems to be willing to concede the point why attack like that? It might be an account created specifically to protect a reputation. As far as I can see his concerns are valid and the answers are to the point. I'd rather see someone be extra critical when it comes to new crypto stuff than too lax.
It's great to see them making the effort, but why not notify the OpenPGP.js with the outcome of a security evaluation? (I'm not aware of any other active javascript openpgp implementation, so I assume that's what you're referring to.) I've been following OpenPGP.js for a while and I've not seen anything from Google.
OpenPGP.js is not an amazing code base, I know this for sure. Perhaps a rewrite was the only way to salvage it.
I wonder why they didn't release the library independent from a browser extension. A brief look at the directory structure makes it seem that it wouldn't be too hard to decouple the OpenPGP implementation from the extension.
In any case, this is a big win for privacy. Reinventing the wheel or not.
