Edits of chapter 2

Integrates Paul's suggestions in #20
This commit is contained in:
Heiko Schaefer 2023-09-20 22:32:37 +02:00
parent b56b56f9b6
commit 6a37e6966d
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D

View file

@ -16,7 +16,6 @@ The original "PGP" software was never under a Free Software license, even though
The ownership and branding of the product has [changed over the years](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_and_Symantec). The software enjoys a continued existence, albeit with [changing name and scope](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_encryption_applications). The ownership and branding of the product has [changed over the years](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_and_Symantec). The software enjoys a continued existence, albeit with [changing name and scope](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_encryption_applications).
### Standardizing OpenPGP ### Standardizing OpenPGP
While the original PGP software was developed as a commercial product, the owner at the time, "PGP Inc." started a standardization effort with the IETF in July 1997. While the original PGP software was developed as a commercial product, the owner at the time, "PGP Inc." started a standardization effort with the IETF in July 1997.
@ -26,20 +25,21 @@ The result of this early standardization work is [RFC 2440 "OpenPGP Message Form
The name "OpenPGP" can be used freely by implementations (unlike the name "PGP", which is a [registered trademark](https://uspto.report/TM/74685229)). The name "OpenPGP" can be used freely by implementations (unlike the name "PGP", which is a [registered trademark](https://uspto.report/TM/74685229)).
### GnuPG, a free software implementation ### GnuPG, an early Free Software implementation
[First released 1997-12-20](https://gnupg.org/download/release_notes.html#sec-2-70), GnuPG is an implementation of the OpenPGP standard. [First released 1997-12-20](https://gnupg.org/download/release_notes.html#sec-2-70), GnuPG (the "Gnu Privacy Guard") is an implementation of the OpenPGP standard.
GnuPG has been the major Free Software implementation of OpenPGP for a period of time. It has played an important (and successful) role in the release of NSA documents by [Edward Snowden](https://theintercept.com/2014/10/28/smuggling-snowden-secrets/). GnuPG has been a major early Free Software implementation of OpenPGP. It has played an important (and successful) role in the release of NSA documents by [Edward Snowden](https://theintercept.com/2014/10/28/smuggling-snowden-secrets/).
Note: The terms "pgp key" and "gpg key" are sometimes used interchangeably. Since both PGP and GnuPG are just some out of many existing OpenPGP implementations, the proper term to use is "OpenPGP key" (or "OpenPGP certificate", more on that later [link]). The GnuPG program binary is called `gpg`, thus the names "GnuPG" and "gpg" are often used interchangeably.
Note: The terms "pgp key" and "gpg key" are sometimes used. Since PGP and GnuPG are just two of many existing OpenPGP implementations, the proper term is "OpenPGP key" (or "OpenPGP certificate", more on that [later](certificates_chapter)).
## The present ## The present
### OpenPGP version 4 ### OpenPGP version 4
In 2007, [RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880), defining version 4 of OpenPGP, was published. In 2007, [RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880), defining version 4 of OpenPGP, was published. This version is currently most commonly used in the wild.
This version is currently most commonly used
(major_implementations)= (major_implementations)=
### Multiple major implementations ### Multiple major implementations
@ -55,42 +55,61 @@ Today multiple new Free Software implementations of OpenPGP play important roles
### OpenPGP version 6 ### OpenPGP version 6
As of this writing (in 2023), [version 6 of OpenPGP](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) is approaching publication as an RFC. As of this writing (in 2023), [version 6 of OpenPGP](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) is approaching publication as an RFC.
The working group's [charter](https://datatracker.ietf.org/wg/openpgp/about/#autoid-1) centers around updating the cryptographic mechanisms, adding new algorithms, and deprecation of obsolete algorithms. The IETF working group's [charter](https://datatracker.ietf.org/wg/openpgp/about/#autoid-1) centers around updating the cryptographic mechanisms, adding new algorithms, and deprecation of obsolete algorithms.
This document mainly describes OpenPGP version 6, while pointing out differences to previous versions that are relevant to application developers. This document describes OpenPGP version 6, while pointing out differences to previous versions that are relevant to application developers.
Multiple implementations have already done significant work on support for version 6. Significant work on support for OpenPGP version 6 has already been done for multiple implementations, including:
- GOpenPGP,
- OpenPGP.js,
- PGPainless,
- PGPy,
- Sequoia PGP.
## Concepts ## Concepts
Building on the cryptographic building blocks OpenPGP uses, it provides the following high-level functionalities.
### Certificates/Keys ### Certificates/Keys
Use of OpenPGP is centered around (asymmetric) cryptographic keys. In OpenPGP, these keys are combined with additional metadata into "OpenPGP certificates" - also often referred to as "OpenPGP keys." Use of OpenPGP is centered around (asymmetric) cryptographic keys.
See the [certificates chapter](certificates_chapter) for more on OpenPGP certificates, and their internal makeup, and the [private key chapter](private_key_chapter) for handling of private key material in OpenPGP. In OpenPGP, bare cryptographic keys are combined with additional metadata into "OpenPGP certificates", which are a relatively complex data structure (OpenPGP certificates are also often called "OpenPGP keys").
An OpenPGP certificate can evolve over time, with components being added, expiring, or being marked as invalid.
See the chapter about [certificates](certificates_chapter) for more on OpenPGP certificates, and their internal makeup, and the chapter about [private keys](private_key_chapter) for handling of private key material in OpenPGP.
Other important topics around certificates are their management, authentication, and trust models. We will only touch on those, in this document. Other important topics around certificates are their management, authentication, and trust models. We will only touch on those, in this document.
### Cryptographic operations ### High-Level operations
The main operations of OpenPGP are discussed in the following chapters: With OpenPGP it's possible to:
- [Encryption](encryption_chapter) and [Decryption](decryption_chapter) - [Encrypt](encryption_chapter) and [Decrypt](decryption_chapter) Messages
- [Digital signatures](signatures_chapter) - Sign Data
- Issue and examine Statements about Keys and Identities (to perform CA-like functionality)
### Building blocks
To perform these high-level operations, the following building blocks are used:
- Encryption
- Signature Algorithms
- OpenPGP Signatures (made from raw signatures; Certifications, Data Signatures)
- Keys, Subkeys
- User IDs
## Zooming in: Internal structure of OpenPGP data ## Zooming in: Internal structure of OpenPGP data
OpenPGP data is internally structured as "packets" (and sometimes "subpackets"). We'll go into some detail about this, throughout the coming chapters. OpenPGP data is internally structured as "packets." We'll look at examples of this internal structure throughout the following chapters. Familiarizing ourselves with the internal format of OpenPGP data will enable us to debug issues.
``` Gaining some familiarity with the internal structure of OpenPGP data will also help us to read the OpenPGP RFC, which describes the structure of OpenPGP packets in full detail.
add a tiny bit more detail here
``` In this text, however, most of the time we look at OpenPGP at a higher level of abstraction.
(interop_section)= (interop_section)=
## Interoperability ## Interoperability
OpenPGP has been defined as a standard with the express goal of enabling multiple parties to build interoperable implementations. This has already been a success early on, but in recent years, there has been [much development of new implementations]((major_implementations)). OpenPGP was standardized in 1997 to encourage development of interoperable implementations. This has already been a success early on, but in recent years, there has been [much development of new implementations]((major_implementations)).
While interoperability has been an informal goal in the OpenPGP space since the initial standardization, since 2019 the Sequoia project is maintaining and operating the more formal ["OpenPGP interoperability test suite"](https://tests.sequoia-pgp.org/). This test suite has identified numerous [issues](https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite#hall-of-fame). Historically, interoperability has only been tested ad-hoc. Since 2019 the Sequoia project is maintaining and operating the ["OpenPGP interoperability test suite"](https://tests.sequoia-pgp.org/), for more rigorous and systematic testing. The test suite has identified numerous [issues](https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite#hall-of-fame).