Implementation Notes

From LID Wiki

It has come up that the reference implementation and the documentation aren't always clear about whether to use the full gpg command, or drop the leading hyphen from the first argument when passed in a web parameter. We have decided on the mailing list that we should always use the double hyphens.

Since we already have users who have installed and are using the reference code, new code should accept both single and double hyphens, at least for a while, and if we can't get the public key from the user's LID(tm) with a "?meta=gpg%20--export%20--armor", we should fall back to the "?meta=gpg%20-export%20--armor" version.

On page 15 of the white paper, Johannes writes "Note that arguments such as gpg -export --armor or gpg --clearsign are just symbolic names, not commands that are supposed to be executed using a system call without further checking. If they were, that would create a very substantial security hole. We just can’t think of a good reason why we should come up with a different, made-up name for what can be comprehended much better by simply using the text for the command that we have in mind.)"

The answer, of course, is that lazy implementers will take advantage of the confluence to do precisely the thing decried in that paragraph. If you even make it *possible*, then you pretty much have to take the ethical responsibility when some schmuck does it, even if you said not to. IMHO.  :-) --Baylink 12:20, 14 Feb 2005 (PST)

There's the additional issue that it's very easy to misspell these. We should resolve this for LID 2.0.