openpgp-notes/book/source/01-intro.md

# OpenPGP: what is it, history

This document is intended as an introduction to the inner workings of OpenPGP,
aimed mainly at technical readers.

It is *not* a guide for *use* of OpenPGP by end-users.

## What is OpenPGP?

OpenPGP is an open standard that was developed based on the
["Pretty Good Privacy (PGP)"](https://en.wikipedia.org/wiki/Pretty_Good_Privacy)
software.

The standard has evolved over time, and there is ongoing work to improve it.
[RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880) is the most recent
published version of the standard (describing OpenPGP version 4).

An IETF working group is currently finalizing a
[new revision](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/),
of the OpenPGP standard (which will describe OpenPGP version 6).
The current standardization work focuses on updating the cryptographic
mechanisms in OpenPGP.

There are multiple [interoperable](https://tests.sequoia-pgp.org/)
implementations with significant use.

## A very brief history (dramatis personae)

### PGP

*"Pretty Good Privacy (PGP)"* is a software program, initially by Phil
Zimmermann, first released in 1991.

The PGP software has played a role in the political struggles sometimes
referred to as the ["Crypto Wars"](https://en.wikipedia.org/wiki/Crypto_Wars)
(also see https://en.wikipedia.org/wiki/Crypto_(book) for some of that history,
including about the history of PGP).

The "PGP" software was never under a Free Software license,
even though its source code has at one point been widely published.

The ownership and branding of the product has
[changed over the years](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_and_Symantec),
The software enjoys a continued existence, albeit with
[changing name and scope](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_encryption_applications).


### OpenPGP

While the PGP software was developed as a commercial product, the owner at the time,
"PGP Inc." started a standardization effort with the IETF in July 1997.
The resulting open standard was named
[OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP).

The result of this first round of standardization work under the "OpenPGP"
name is [RFC 2440](https://datatracker.ietf.org/doc/html/rfc2440),
published November 1998.

The name "OpenPGP" can be used freely by implementations (unlike the name
"PGP", which is a [registered trademark](https://uspto.report/TM/74685229)).

### GnuPG

[First released 1997-12-20](https://gnupg.org/download/release_notes.html#sec-2-70),
GnuPG is an implementation of the OpenPGP standard.

GnuPG has been the major Free Software implementation of OpenPGP for a period
of time. It has played a role in the release of NSA documents by
[Edward Snowden](https://theintercept.com/2014/10/28/smuggling-snowden-secrets/)

## Multiple major implementations

Today, multiple implementations of OpenPGP play an important role:

- Protonmail, who serve a large number of users, use (and maintain)
[OpenPGP.js](https://openpgpjs.org/).
- The Thunderbird email software is using the [RNP](https://www.rnpgp.org/)
implementation for their built-in OpenPGP support since version 78 (released in mid-2020).
- The RPM Package Manager software includes an OpenPGP backend based on
[Sequoia PGP](https://sequoia-pgp.org/), a modern OpenPGP implementation in Rust.
Fedora [uses Sequoia PGP in rpm](https://sequoia-pgp.org/blog/2023/04/27/rpm-sequoia/)
since version 38.
Initial outline and old notes (Rough merge of two precursor projects by Heiko, and outline notes by Paul) 2023-09-14 21:30:43 +02:00			`# OpenPGP: what is it, history`

			`This document is intended as an introduction to the inner workings of OpenPGP,`
			`aimed mainly at technical readers.`

			`It is not a guide for use of OpenPGP by end-users.`

			`## What is OpenPGP?`

			`OpenPGP is an open standard that was developed based on the`
			`["Pretty Good Privacy (PGP)"](https://en.wikipedia.org/wiki/Pretty_Good_Privacy)`
			`software.`

			`The standard has evolved over time, and there is ongoing work to improve it.`
			`[RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880) is the most recent`
			`published version of the standard (describing OpenPGP version 4).`

			`An IETF working group is currently finalizing a`
			`[new revision](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/),`
			`of the OpenPGP standard (which will describe OpenPGP version 6).`
			`The current standardization work focuses on updating the cryptographic`
			`mechanisms in OpenPGP.`

			`There are multiple [interoperable](https://tests.sequoia-pgp.org/)`
			`implementations with significant use.`

			`## A very brief history (dramatis personae)`

			`### PGP`

			`"Pretty Good Privacy (PGP)" is a software program, initially by Phil`
			`Zimmermann, first released in 1991.`

			`The PGP software has played a role in the political struggles sometimes`
			`referred to as the ["Crypto Wars"](https://en.wikipedia.org/wiki/Crypto_Wars)`
			`(also see https://en.wikipedia.org/wiki/Crypto_(book) for some of that history,`
			`including about the history of PGP).`

			`The "PGP" software was never under a Free Software license,`
			`even though its source code has at one point been widely published.`

			`The ownership and branding of the product has`
			`[changed over the years](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_and_Symantec),`
			`The software enjoys a continued existence, albeit with`
			`[changing name and scope](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_encryption_applications).`


			`### OpenPGP`

			`While the PGP software was developed as a commercial product, the owner at the time,`
			`"PGP Inc." started a standardization effort with the IETF in July 1997.`
			`The resulting open standard was named`
			`[OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP).`

			`The result of this first round of standardization work under the "OpenPGP"`
			`name is [RFC 2440](https://datatracker.ietf.org/doc/html/rfc2440),`
			`published November 1998.`

			`The name "OpenPGP" can be used freely by implementations (unlike the name`
			`"PGP", which is a [registered trademark](https://uspto.report/TM/74685229)).`

			`### GnuPG`

			`[First released 1997-12-20](https://gnupg.org/download/release_notes.html#sec-2-70),`
			`GnuPG is an implementation of the OpenPGP standard.`

			`GnuPG has been the major Free Software implementation of OpenPGP for a period`
			`of time. It has played a role in the release of NSA documents by`
			`[Edward Snowden](https://theintercept.com/2014/10/28/smuggling-snowden-secrets/)`

			`## Multiple major implementations`

			`Today, multiple implementations of OpenPGP play an important role:`

			`- Protonmail, who serve a large number of users, use (and maintain)`
			`[OpenPGP.js](https://openpgpjs.org/).`
			`- The Thunderbird email software is using the [RNP](https://www.rnpgp.org/)`
			`implementation for their built-in OpenPGP support since version 78 (released in mid-2020).`
			`- The RPM Package Manager software includes an OpenPGP backend based on`
			`[Sequoia PGP](https://sequoia-pgp.org/), a modern OpenPGP implementation in Rust.`
			`Fedora [uses Sequoia PGP in rpm](https://sequoia-pgp.org/blog/2023/04/27/rpm-sequoia/)`
			`since version 38.`