Sequoia PGP (2022)

Secure communication, signatures and authentication, in Rust

Key facts

Investment Amount
Investment Year(s)
2022, 2023

OpenPGP is an encryption and signing protocol that is most widely used to enable authenticated and encrypted end-to-end communication via e-mail and the signing and verification of software packages. This makes it a critical protocol for many basic internet applications, such as secure communication and software supply chains. Supporting and promoting interoperable implementations can make the protocol - and the ecosystem - more resilient by encouraging broad adoption and eliminating bugs.

The various libraries and implementations around PGP should be understood as an ecosystem that requires continuous development and diversification. The mandate is to support the entire ecosystem by further developing multiple implementations of the protocol, in this case the Rust implementation “Sequoia PGP.”

Sequoia PGP is a modern OpenPGP implementation with a focus on security, usability, and interoperability. It is written in Rust, a so-called “memory-safe language,” and has an extensive testing infrastructure to ensure that the implementation not only works as intended, but also interacts well with other implementations.

Why is this important?

The chosen OpenPGP implementations enable a variety of use cases. Encryption allows the sender to ensure that no one but the recipient can access confidential information. Signing allows the recipient to verify that the communication originates from the sender and has not been tampered with. By verifying public keys, both parties can ensure that they are communicating with the person they intend to communicate with. Secure end-to-end communication is important for journalists, government agencies, businesses, and any institution or individual that uses email and has a need for private, confidential, or signed communication.

Just as with email, OpenPGP can also be used to sign and encrypt software packages. While encrypting open-source software is of limited use because it is usually not confidential, signing and verifying signatures is often used to assure developers and consumers that the software has not been tampered with. Signing also enables open-source projects to verify that a software contribution comes from a legitimate contributor, helping protect against actors who may want to tamper with the software by assuming the identity of a trusted contributor.

What are we funding?

To increase the usability and security of Sequoia PGP by developing Git signatures for software supply chains, developing and documenting an API for use via Python, and further developing support for PGP smart cards. Furthermore, the Sequoia PGP test suite will be used to further develop the framework for automated interoperability testing.

More technologies

All technologies