Sequoia PGP (2023)
Secure communication, signatures, and authentication, in Rust
Key facts
- Status:
- Current
- Investment Amount
- €900,000.00
- Investment Year(s)
- 2023, 2024
OpenPGP is a critical internet standard for encryption, signing, and authentication. It is widely used in end-to-end encryption of email communication and other basic internet applications. OpenPGP is also used to protect the software supply chain through the signing and verification of software updates and other digital artifacts.
The many libraries and tools around OpenPGP form an ecosystem that requires continuous development and benefits from diversification. Supporting and promoting interoperable implementations of OpenPGP can make the standard – and its ecosystem – stronger and more resilient by encouraging broad adoption and reducing the number of bugs.
The Sovereign Tech Fund’s goal is to support the ecosystem by encouraging multiple implementations of the protocol, in this case the Rust implementation “Sequoia PGP.”
Sequoia PGP is a modern OpenPGP implementation with a focus on security, usability, and interoperability. It is written in Rust, a “memory-safe” language, and has an extensive testing infrastructure to ensure that the implementation not only works as intended, but also interacts well with other implementations.
The Sequoia PGP project is working to make using cryptography for privacy and authentication more commonplace and easy to use. The project aims to simplify the adoption of strong encryption and strong authentication, and to build a decentralized, easier-to-use, cross-protocol Public Key Infrastructure.
OpenPGP is used widely in the IT industry and by free and open source projects to verify the authenticity of software packages, and for encrypting and authenticating messages. The Sequoia PGP team is also designing and rebuilding a decentralized infrastructure (sequoia git) for verifying repositories, to improve software production security.
The Sovereign Tech Fund support has been critical for Sequoia PGP’s team to continue their work. For the future, Sequoia PGP seeks to diversify their funding by increasing individual donations; and by building up strategic partnerships with companies using Sequoia.
Why is this important?
Sequoia PGP enables secure end-to-end communication, which is important for journalists, government agencies, businesses, and any institution or individual using electronic communication like email with a need for private, confidential, or authenticated communication.
Encryption and authentication allow the sender to ensure that no one but the intended recipient can access confidential information. Signing allows the recipient to verify that the communication originates from the sender and has not been tampered with.
With the tools that the Sequoia PGP project intends to build, OpenPGP can be used independent of the transport method. Using just Sequoia PGP and copy-and-paste, users can send encrypted messages via Facebook Messenger, via Mastodon direct messages, via SMS, as printed-out QR codes, or as files on a USB thumb drive. This makes OpenPGP an excellent encryption standard that can also be used almost anywhere.
OpenPGP can also be used to sign and encrypt software packages. The function of signing and verifying signatures is often used to provide assurance to developers and consumers that the software has not been tampered with. Signing also allows open source projects to verify that a software contribution comes from a legitimate contributor, and helps protect against actors who want to tamper with software by assuming the identity of a trusted contributor.
Software signing methods are becoming ever more important and critical for digital infrastructure, software development, and industry. As part of the project, the Sequoia PGP team is working on specifying what a signature means, and designing and building infrastructure to verify a repository and its related repositories (i.e., a repository’s dependencies). They are doing this is in a way so that no centralized infrastructure, including blockchain, is needed. Designing software signing methods this way makes the repository fully self-describing, which is significant for reproducibility.
More generally, the investment in several OpenPGP implementations continues to be strategically important for supporting the ecosystem. There is a strong public interest for different, well-maintained implementations serving different use cases. The Sequoia PGP team is well-connected to other actors in the field, like those working on the Javascript and Go implementations, and plans to engage further at events like IETF with the OpenPGP working group’s “crypto refresh” document.
What are we funding?
As one of the Sovereign Tech Fund’s pilot projects (October 2022 through May 2023), the following work was commissioned:
- increase the usability of Sequoia PGP by specifying signing policies and developing tooling for software supply chains (this improves the security of other software and their users by making it easier for a downstream user to determine if a change was authorized by the project's maintainers)
- develop and document an API for use via Python, and
- further develop support for PGP smart cards.
- The Sequoia PGP test suite was used to further develop the framework for automated interoperability testing.
In 2023 and 2024, the team behind Sequoia PGP is planning to refine sq, the command line tool; to engage in standard setting work; and to improve the Sequoia OpenPGP library as well as to assist other projects in using and integrating Sequoia PGP.