[eukaryotia]

>You need a comprehensive fundations to base on these experiments on.

The problem is that people build this huge, powerful libraries, but nobody seems to write the "limiting" libraries that take a subset of the powerful base library and create an easy to use experience from the user.

I suppose this largely stems from "implicit knowledge": People who can write cryptography apps likely know enough crypto that they can't themselves identify usability problems.

[zby]

Libraries are more powerful if they are decoupled. For example I wanted to build a website that would let you check message signature against public keyservers. This sounds trivial - but unfortunately the libraries that I've reviewed don't provide a 'check_sig( message, public_key)' function - but only a 'key_ring.check_sig( message )' function. This complicated the matter a lot - because I would have to download the public key and save it into a temp file and then build a key_ring out of that file (with some other complications that I don't remember right now). Enough to discourage me.

Huge does not mean powerful when it is hard to mix and match (and limit) the functionality.

[felixhammerl]

we're using and contributing to openpgp.js and so far this has worked pretty good for us, because it provides a sane API, properly documented, coherent code style, CI tested. here's a snippet for decryption and signature checking in Whiteout Mail: https://github.com/whiteout-io/mail-html5/blob/master/src/js...

[felixhammerl]

you are mixing two problems:

1) libraries are often too complex for the avg dev: well, crypto is complex and there is rarely a one-size-fits-all solution. however, there are high level APIs that address your issues in openpgp.js (https://github.com/openpgpjs/openpgpjs). problem is that a lot of people try to roll their own crypto if the library does not offer those high level #box() and #unbox() functions. and THAT is a real problem down the road.

2) lack of empathy is really a big problem, which I've articulated here: https://blog.whiteout.io/2015/01/29/why-alice-has-a-problem-...