openpgp-notes/book/source/01-intro.md

92 lines
3.8 KiB
Markdown
Raw Normal View History

2023-09-15 11:14:06 +02:00
# Notes on OpenPGP
2023-09-15 11:14:06 +02:00
An introduction to the concepts of OpenPGP, aimed mainly at software
developers who are looking to use OpenPGP functionality in their projects.
2023-09-15 11:14:06 +02:00
This document describes
[OpenPGP version 6](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/),
with occasional remarks about differences to earlier versions.
This text is *not* intended as a guide for end-users who use OpenPGP-related software.
## What is OpenPGP?
2023-09-15 11:14:06 +02:00
OpenPGP is an open standard for cryptographic operations.
It has grown out of the
["Pretty Good Privacy (PGP)"](https://en.wikipedia.org/wiki/Pretty_Good_Privacy)
software.
2023-09-15 11:14:06 +02:00
OpenPGP is an open standard, there are many widely used
(and [interoperable](https://tests.sequoia-pgp.org/)) implementations.
2023-09-15 11:14:06 +02:00
## A very brief history
2023-09-15 11:14:06 +02:00
The OpenPGP standard has evolved over time.
2023-09-15 11:14:06 +02:00
(Also see https://www.openpgp.org/about/history/)
2023-09-15 11:14:06 +02:00
### "Pretty Good Privacy (PGP)"
2023-09-15 11:14:06 +02:00
The earliest roots of OpenPGP trace back to *"Pretty Good Privacy (PGP)"*,
a software program, written by Phil Zimmermann and first released in 1991.
2023-09-15 11:14:06 +02:00
The original PGP software has played a role in the political struggles sometimes
referred to as the ["Crypto Wars"](https://en.wikipedia.org/wiki/Crypto_Wars)
(also see https://en.wikipedia.org/wiki/Crypto_(book) for some of that history,
including about the history of PGP).
The "PGP" software was never under a Free Software license,
even though its source code has at one point been widely published.
The ownership and branding of the product has
[changed over the years](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_and_Symantec),
The software enjoys a continued existence, albeit with
[changing name and scope](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_encryption_applications).
2023-09-15 11:14:06 +02:00
### Standardizing OpenPGP
While the PGP software was developed as a commercial product, the owner at the time,
"PGP Inc." started a standardization effort with the IETF in July 1997.
The resulting open standard was named
[OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP).
2023-09-15 11:14:06 +02:00
The result of this early standardization work is
[RFC 2440 "OpenPGP Message Format"](https://datatracker.ietf.org/doc/html/rfc2440),
published November 1998.
The name "OpenPGP" can be used freely by implementations (unlike the name
"PGP", which is a [registered trademark](https://uspto.report/TM/74685229)).
2023-09-15 11:14:06 +02:00
### GnuPG, a free software implementation
[First released 1997-12-20](https://gnupg.org/download/release_notes.html#sec-2-70),
GnuPG is an implementation of the OpenPGP standard.
GnuPG has been the major Free Software implementation of OpenPGP for a period
2023-09-15 11:14:06 +02:00
of time. It has played an important and successful role in the release of NSA
documents by [Edward Snowden](https://theintercept.com/2014/10/28/smuggling-snowden-secrets/).
## The present
2023-09-15 11:14:06 +02:00
### Multiple major implementations
Today, multiple implementations of OpenPGP play an important role:
2023-09-15 11:14:06 +02:00
- Protonmail, who provide email encryption services for a large number of users,
use (and maintain) [OpenPGP.js](https://openpgpjs.org/).
- The Thunderbird email software is using the [RNP](https://www.rnpgp.org/)
2023-09-15 11:14:06 +02:00
implementation for their built-in OpenPGP support since version 78 (released in mid-2020).
- The RPM Package Manager software includes an OpenPGP backend based on
2023-09-15 11:14:06 +02:00
[Sequoia PGP](https://sequoia-pgp.org/), a modern OpenPGP implementation in Rust.
Fedora [uses Sequoia PGP in rpm](https://sequoia-pgp.org/blog/2023/04/27/rpm-sequoia/)
since version 38.
### OpenPGP version 6
This document mainly describes OpenPGP version 6, which brings many updates of the core cryptographic mechanisms,
compared to the previous version 4.
As of this writing (in 2023), version 4 of OpenPGP is still most commonly used.
OpenPGP version 4 is described in [RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880).