From 67bdc2f64b0fb89cff24492e5244981d8f977bdc Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 13:29:31 +0200 Subject: [PATCH 01/42] integrate operations & building blocks statements formerly in Ch2 --- book/source/01-intro.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/book/source/01-intro.md b/book/source/01-intro.md index b26e7f4..f030fdc 100644 --- a/book/source/01-intro.md +++ b/book/source/01-intro.md @@ -10,6 +10,15 @@ This text is *not* intended as a guide for end-users of OpenPGP-related software OpenPGP is an open standard for cryptographic operations. It is a system based on well-understood cryptographic building blocks. OpenPGP supports the secure delivery of files and messages between a sender and a recipient as well as verification of the sender. OpenPGP is an outgrowth of the ["Pretty Good Privacy (PGP)"](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) encryption program and has many widely used and [interoperable implementations](interop_section). +With OpenPGP, you can: + +- [Encrypt](encryption_chapter) and [decrypt](decryption_chapter) messages +- [Sign](signing_data) and [verify](verification_chapter) data +- [Issue certifications and examine statements](certifications_chapter) about keys and identities, similar to the role of a Certificate Authority in validating identities. + +To achieve these operations, OpenPGP utilizes a set of [established cryptographic mechanisms](cyrptography_chapter). These building blocks are integrated into OpenPGP's format, which also manages and verifies identities. + + ## Who is the audience for this document? From 6a22002cb8c72999cd325a1b92a1f7e156a56881 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 13:34:50 +0200 Subject: [PATCH 02/42] remove unnecessary line breaks --- book/source/01-intro.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/book/source/01-intro.md b/book/source/01-intro.md index f030fdc..4875f33 100644 --- a/book/source/01-intro.md +++ b/book/source/01-intro.md @@ -18,8 +18,6 @@ With OpenPGP, you can: To achieve these operations, OpenPGP utilizes a set of [established cryptographic mechanisms](cyrptography_chapter). These building blocks are integrated into OpenPGP's format, which also manages and verifies identities. - - ## Who is the audience for this document? Three groups of people interact with OpenPGP: From 3f8fb4690fe2a06496463bc0503d03ac00b650fc Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 14:12:45 +0200 Subject: [PATCH 03/42] change format to standard and clarify role --- book/source/01-intro.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/01-intro.md b/book/source/01-intro.md index 4875f33..c6b9577 100644 --- a/book/source/01-intro.md +++ b/book/source/01-intro.md @@ -16,7 +16,7 @@ With OpenPGP, you can: - [Sign](signing_data) and [verify](verification_chapter) data - [Issue certifications and examine statements](certifications_chapter) about keys and identities, similar to the role of a Certificate Authority in validating identities. -To achieve these operations, OpenPGP utilizes a set of [established cryptographic mechanisms](cyrptography_chapter). These building blocks are integrated into OpenPGP's format, which also manages and verifies identities. +To achieve these operations, OpenPGP utilizes a set of [established cryptographic mechanisms](cyrptography_chapter). These building blocks are integrated into OpenPGP's standard, which also addresses identities and their verification. ## Who is the audience for this document? From b1dab566a896a476f6834b1bf97a07649b04531d Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 9 Oct 2023 18:04:54 +0200 Subject: [PATCH 04/42] ch3: move terminology note into an "admonition" --- book/source/03-cryptography.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/book/source/03-cryptography.md b/book/source/03-cryptography.md index 9f047fd..f79051f 100644 --- a/book/source/03-cryptography.md +++ b/book/source/03-cryptography.md @@ -95,9 +95,13 @@ Only the public part of an asymmetric key pair OpenPGP makes heavy use of public-key cryptography, both for encryption and signing operations. -Note that, for historical reasons, the OpenPGP RFC and other documentation often use the non-standard term "secret key" instead of the more common "private key." +```{admonition} Terminology +:class: note + +For historical reasons, the OpenPGP RFC and other documentation often use the non-standard term "secret key" instead of the more common "private key." So in OpenPGP, the pair of terms "public/secret key" is sometimes used instead of the more common "public/private key." +``` ### Cryptographic digital signatures From e103ac0797375a65a53dc8794502cd2f550ccbd2 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 5 Oct 2023 21:45:44 +0200 Subject: [PATCH 05/42] expand "why OpenPGP" section --- book/source/02-highlevel.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index ee5f1a0..6f849cd 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -2,14 +2,17 @@ ## Why OpenPGP? -OpenPGP is an IETF-standardized set of cryptographic operations. OpenPGP defines mechanisms for authentication of cryptographic identities with a decentralized trust model. +OpenPGP is a widely recognized IETF-standardized set of cryptographic operations. It is broadly used in securing communications, for example, in encrypted text messages and email, and enjoys a vast ecosystem of libraries, tools, and community support forums. Moreover, its robustness and versatility has made OpenPGP a security choice for other use cases in which encryption is important. These include file transfer applications, password managers, and data storage. -```{admonition} TODO -:class: warning +There are other compelling reasons for why you might consider using OpenPGP in your project: -David points out: this section does not yet constitute a compelling endorsement. -(-> more/better text needed) -``` +1. **Decentralized trust model**: OpenPGP's decentralization defines mechanisms for authentication that allow individuals and entities to create and manage their own cryptographic identities. Unlike centralized trust models, decentralized trust models empower individuals and entities to manage their own identities, fostering a community-driven web of trust instead of relying on a centralized authority, thus reducing single points of failure. + +2. **End-to-end encryption**: OpenPGP provides a robust framework for implementing end-to-end encryption. Content remains confidential, verifiable, authenticated, and protected against unauthorized access, even when the communication channel itself might be otherwise compromised. Encryption is crucial in a myriad of scenarios, particularly when transmitting sensitive information such as financial data, personal identification information, or proprietary business data. + +3. **Anonymity and pseudonymity**: In sensitive and volatile situations where identity protection is crucial, OpenPGP can be used to provide a level of anonymity or pseudonymity that helps protect user identities. For example, OpenPGP has been used alongside other privacy tools, such as Tor and VPNs, to provide secure and anonymous communication for whistleblowers, human rights lawyers, activists in repressive regimes, and journalists, reducing their risks for retaliation and state violence. + +4. **Interoperability**: OpenPGP is a a well-structured and standardized protocol, widely adopted by various public and private entities but not tied to any particular vendor's technology. It supports all major operating systems, like Windows, macOS, GNU/Linux, Android, and iOS. Because of standardization, wide adoption, cross-platform compatibility, and adaptability, OpenPGP's interoperability significantly contributes to reducing development time, costs, and technical hurdles. ## A very brief history From 6679f2fdf9a39bb69002ed10f249c99c4a43ab20 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 5 Oct 2023 21:50:05 +0200 Subject: [PATCH 06/42] edit language and punctuation of PGP line --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 6f849cd..c020df0 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -22,7 +22,7 @@ The OpenPGP standard has evolved over time, and remains under active development ### "Pretty Good Privacy (PGP)" -The earliest roots of OpenPGP trace back to *"Pretty Good Privacy (PGP)"*, a software program written by [Phil Zimmermann](https://en.wikipedia.org/wiki/Phil_Zimmermann) and first released in 1991. +The origins of OpenPGP can be traced back to *Pretty Good Privacy (PGP)*, a software program written by [Phil Zimmermann](https://en.wikipedia.org/wiki/Phil_Zimmermann) and first released in 1991. The original PGP software has played a role in the political struggles sometimes referred to as the ["Crypto Wars"](https://en.wikipedia.org/wiki/Crypto_Wars) (also see ["Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital" (2002)](https://en.wikipedia.org/wiki/Crypto_(book)) for some of that history, including part of the history of PGP). From 7a0b4832ec7607c62e0a29b327ae6b8d38c64d92 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 13:43:29 +0200 Subject: [PATCH 07/42] edit history to of PGP, standardizing, and GnuPG --- book/source/02-highlevel.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index c020df0..2762efe 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -2,7 +2,7 @@ ## Why OpenPGP? -OpenPGP is a widely recognized IETF-standardized set of cryptographic operations. It is broadly used in securing communications, for example, in encrypted text messages and email, and enjoys a vast ecosystem of libraries, tools, and community support forums. Moreover, its robustness and versatility has made OpenPGP a security choice for other use cases in which encryption is important. These include file transfer applications, password managers, and data storage. +OpenPGP is a widely recognized IETF-standardized set of cryptographic operations. It is broadly used in securing communications, for example, in encrypted text messages and email, and enjoys a vast ecosystem of libraries, tools, and community support forums. Moreover, its robustness and versatility has made OpenPGP a security choice for other use cases in which encryption is important. These include file transfer applications, password managers, and secure data storage. There are other compelling reasons for why you might consider using OpenPGP in your project: @@ -20,34 +20,37 @@ The OpenPGP standard has evolved over time, and remains under active development (Also see [https://www.openpgp.org/about/history/](https://www.openpgp.org/about/history/)) -### "Pretty Good Privacy (PGP)" +### Pretty Good Privacy (PGP) The origins of OpenPGP can be traced back to *Pretty Good Privacy (PGP)*, a software program written by [Phil Zimmermann](https://en.wikipedia.org/wiki/Phil_Zimmermann) and first released in 1991. -The original PGP software has played a role in the political struggles sometimes referred to as the ["Crypto Wars"](https://en.wikipedia.org/wiki/Crypto_Wars) (also see ["Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital" (2002)](https://en.wikipedia.org/wiki/Crypto_(book)) for some of that history, including part of the history of PGP). +The original PGP software played a role in the political struggles sometimes referred to as the ["Crypto Wars"](https://en.wikipedia.org/wiki/Crypto_Wars) (also see ["Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital" (2002)](https://en.wikipedia.org/wiki/Crypto_(book)), which includes some of PGP's history). -The original "PGP" software was never under a Free Software license, even though its source code has at one point been widely published. - -The ownership and branding of the product has [changed over the years](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_and_Symantec). The software enjoys a continued existence, albeit with [changing name and scope](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_encryption_applications). +The original PGP software was never under a Free Software license, despite being widely published. [PGP's ownership has changed over the years](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_and_Symantec), and [PGP's scope and suite of products have expanded] (https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_encryption_applications). ### Standardizing OpenPGP -While the original PGP software was developed as a commercial product, the owner at the time, "PGP Inc." started a standardization effort with the IETF, first publishing [RFC 1991 "PGP Message Exchange Formats"](https://datatracker.ietf.org/doc/html/rfc1991) in August 1996. +While PGP was first developed as commercial software, the owner at the time, PGP Inc., started a standardization effort with the IETF, first publishing [RFC 1991 "PGP Message Exchange Formats"](https://datatracker.ietf.org/doc/html/rfc1991) in August 1996. In July 1997, a process to produce an open standard under the then new name [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) was started, resulting in [RFC 2440 "OpenPGP Message Format"](https://datatracker.ietf.org/doc/html/rfc2440), published November 1998. RFC 2440 describes OpenPGP version 3. -The name "OpenPGP" can be used freely by implementations (unlike the name "PGP", which is a [registered trademark](https://uspto.report/TM/74685229)). +The name OpenPGP can be used freely by implementations, unlike the name PGP, which is a [registered trademark](https://uspto.report/TM/74685229)). ### GnuPG, an early Free Software implementation -[First released 1997-12-20](https://gnupg.org/download/release_notes.html#sec-2-70), GnuPG (the "GNU Privacy Guard") is an implementation of the OpenPGP standard. +[First released 1997-12-20](https://gnupg.org/download/release_notes.html#sec-2-70) by Werner Koch, a German computer programmer, GNU Privacy Guard (GnuPG) is a free and open-source implementation of the OpenPGP standard. -GnuPG has been a major early Free Software implementation of OpenPGP. It has played an important (and successful) role in the [release of NSA documents](https://theintercept.com/2014/10/28/smuggling-snowden-secrets/) by [Edward Snowden](https://en.wikipedia.org/wiki/Edward_Snowden). +GnuPG was a major early implementation of OpenPGP. Over the years, the importance of GnuPG has grown significantly as it became a foundational tool for email security, software signing, and more. It played an important (and successful) role in the [release of NSA documents](https://theintercept.com/2014/10/28/smuggling-snowden-secrets/) by [Edward Snowden](https://en.wikipedia.org/wiki/Edward_Snowden). -The GnuPG program binary is called `gpg`, thus the names "GnuPG" and "gpg" are often used interchangeably. +The GnuPG program binary is called "gpg," thus the names "GnuPG" and "gpg" are often used interchangeably. Note: The terms "pgp key" and "gpg key" are sometimes used. Since PGP and GnuPG are just two of many existing OpenPGP implementations, the proper term is "OpenPGP key" (or "OpenPGP certificate", more on that [later](certificates_chapter)). +```{admonition} TODO +:class: warning +Heiko, I do not believe the above section on the binary needs to be in this history section. Also, I have added Werner Koch by name to this history, bringing his contribution to the level afforded Zimmerman and Snowden. +``` + ## The OpenPGP version 4 era ### OpenPGP version 4 From 9ef56526bc2db68c57f2c9d43b84b5a7a5d166ae Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 14:15:38 +0200 Subject: [PATCH 08/42] improve text re version 4 and its implementations --- book/source/02-highlevel.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 2762efe..dbca060 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -55,16 +55,16 @@ Heiko, I do not believe the above section on the binary needs to be in this hist ### OpenPGP version 4 -In 2007, [RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880), defining version 4 of OpenPGP, was published. This version is currently most commonly used in the wild. +In 2007, the IETF published [RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880), which defined version 4 of the OpenPGP standard. At this time, version 4 is the most commonly used version. + -(major_implementations)= ### Multiple major implementations -Today multiple new Free Software implementations of OpenPGP play important roles: +Today, multiple implementations of OpenPGP play important roles: -- Proton Mail, who provide email encryption services for a large number of users, use (and maintain) [OpenPGP.js](https://openpgpjs.org/) as well as [GopenPGP](https://gopenpgp.org/). -- The Thunderbird email software is using the [RNP](https://www.rnpgp.org/) implementation for their built-in OpenPGP support since version 78 (released in mid-2020). -- The RPM Package Manager software includes an OpenPGP backend based on [Sequoia PGP](https://sequoia-pgp.org/), a modern OpenPGP implementation in Rust. Fedora [uses Sequoia PGP in rpm](https://sequoia-pgp.org/blog/2023/04/27/rpm-sequoia/) since version 38. +- Proton Mail, which provides email encryption services for a large number of users, uses and maintains [OpenPGP.js](https://openpgpjs.org/) as well as [GopenPGP](https://gopenpgp.org/), an OpenPGP wrapper library written in golang. +- The Mozilla Thunderbird email software uses [RNP](https://www.rnpgp.org/), its C++ implementation of OpenPGP. +- The RPM Package Manager software includes an OpenPGP backend based on [Sequoia PGP](https://sequoia-pgp.org/), a modern OpenPGP implementation written in Rust. The Fedora operating system, Fedora Linux 38, [uses Sequoia PGP in rpm](https://sequoia-pgp.org/blog/2023/04/27/rpm-sequoia/). ## The road ahead From 9b81ebb8fe22d9d839833368dead126e45ee7458 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 14:21:16 +0200 Subject: [PATCH 09/42] improve text re version 6 --- book/source/02-highlevel.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index dbca060..1f2f815 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -71,17 +71,17 @@ Today, multiple implementations of OpenPGP play important roles: ### OpenPGP version 6 As of this writing (in 2023), [version 6 of OpenPGP](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) is approaching publication as an RFC. -The IETF working group's [charter](https://datatracker.ietf.org/wg/openpgp/about/#autoid-1) centers around updating the cryptographic mechanisms, adding new algorithms, and deprecation of obsolete algorithms. +The [IETF OpenPGP working group](https://datatracker.ietf.org/wg/openpgp/about/#autoid-1) is focused on updating the cryptographic mechanisms, adding new algorithms, and the deprecation of obsolete algorithms. This document describes OpenPGP version 6, while pointing out differences to previous versions that are relevant to application developers. -Significant work on support for OpenPGP version 6 has already been done for multiple implementations, including: +Significant support for OpenPGP version 6 has already been achieved for multiple implementations, including: -- [GOpenPGP](https://github.com/ProtonMail/gopenpgp/tree/v3), +- [GopenPGP](https://github.com/ProtonMail/gopenpgp/tree/v3), - [OpenPGP.js](https://github.com/openpgpjs/openpgpjs/tree/v6), - [PGPainless](https://github.com/pgpainless/pgpainless/milestone/6), - [PGPy](https://github.com/dkg/PGPy/tree/dkg/crypto-refresh), -- [Sequoia-PGP](https://gitlab.com/sequoia-pgp/sequoia/-/tree/crypto-refresh). +- [Sequoia PGP](https://gitlab.com/sequoia-pgp/sequoia/-/tree/crypto-refresh). ### Post-Quantum Cryptography in OpenPGP From fb0b47d4f44efdb6593436b10add430b3b561734 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 14:40:36 +0200 Subject: [PATCH 10/42] add line breaks for legibility --- book/source/02-highlevel.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 1f2f815..6f6b43f 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -8,10 +8,13 @@ There are other compelling reasons for why you might consider using OpenPGP in y 1. **Decentralized trust model**: OpenPGP's decentralization defines mechanisms for authentication that allow individuals and entities to create and manage their own cryptographic identities. Unlike centralized trust models, decentralized trust models empower individuals and entities to manage their own identities, fostering a community-driven web of trust instead of relying on a centralized authority, thus reducing single points of failure. + 2. **End-to-end encryption**: OpenPGP provides a robust framework for implementing end-to-end encryption. Content remains confidential, verifiable, authenticated, and protected against unauthorized access, even when the communication channel itself might be otherwise compromised. Encryption is crucial in a myriad of scenarios, particularly when transmitting sensitive information such as financial data, personal identification information, or proprietary business data. + 3. **Anonymity and pseudonymity**: In sensitive and volatile situations where identity protection is crucial, OpenPGP can be used to provide a level of anonymity or pseudonymity that helps protect user identities. For example, OpenPGP has been used alongside other privacy tools, such as Tor and VPNs, to provide secure and anonymous communication for whistleblowers, human rights lawyers, activists in repressive regimes, and journalists, reducing their risks for retaliation and state violence. + 4. **Interoperability**: OpenPGP is a a well-structured and standardized protocol, widely adopted by various public and private entities but not tied to any particular vendor's technology. It supports all major operating systems, like Windows, macOS, GNU/Linux, Android, and iOS. Because of standardization, wide adoption, cross-platform compatibility, and adaptability, OpenPGP's interoperability significantly contributes to reducing development time, costs, and technical hurdles. ## A very brief history @@ -83,7 +86,7 @@ Significant support for OpenPGP version 6 has already been achieved for multiple - [PGPy](https://github.com/dkg/PGPy/tree/dkg/crypto-refresh), - [Sequoia PGP](https://gitlab.com/sequoia-pgp/sequoia/-/tree/crypto-refresh). -### Post-Quantum Cryptography in OpenPGP +### Post-quantum cryptography in OpenPGP There is [ongoing work](https://datatracker.ietf.org/doc/draft-wussler-openpgp-pqc/) to standardize and add support for post-quantum public-key algorithms in OpenPGP. This project is funded by the [german "BSI"](https://en.wikipedia.org/wiki/Federal_Office_for_Information_Security). Goals include adding support for post-quantum cryptography to Thunderbird and GnuPG. A [presentation](https://datatracker.ietf.org/meeting/113/materials/slides-113-openpgp-a-post-quantum-approach-for-openpgp-00) was given at [IETF 113](https://datatracker.ietf.org/meeting/113/session/openpgp/). From 5077358a99ffa7d140c4742c1e0d08d2cf727a45 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 14:41:50 +0200 Subject: [PATCH 11/42] add line breaks for legibility --- book/source/02-highlevel.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 6f6b43f..d916a5f 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -7,13 +7,13 @@ OpenPGP is a widely recognized IETF-standardized set of cryptographic operations There are other compelling reasons for why you might consider using OpenPGP in your project: 1. **Decentralized trust model**: OpenPGP's decentralization defines mechanisms for authentication that allow individuals and entities to create and manage their own cryptographic identities. Unlike centralized trust models, decentralized trust models empower individuals and entities to manage their own identities, fostering a community-driven web of trust instead of relying on a centralized authority, thus reducing single points of failure. - +
2. **End-to-end encryption**: OpenPGP provides a robust framework for implementing end-to-end encryption. Content remains confidential, verifiable, authenticated, and protected against unauthorized access, even when the communication channel itself might be otherwise compromised. Encryption is crucial in a myriad of scenarios, particularly when transmitting sensitive information such as financial data, personal identification information, or proprietary business data. - +
3. **Anonymity and pseudonymity**: In sensitive and volatile situations where identity protection is crucial, OpenPGP can be used to provide a level of anonymity or pseudonymity that helps protect user identities. For example, OpenPGP has been used alongside other privacy tools, such as Tor and VPNs, to provide secure and anonymous communication for whistleblowers, human rights lawyers, activists in repressive regimes, and journalists, reducing their risks for retaliation and state violence. - +
4. **Interoperability**: OpenPGP is a a well-structured and standardized protocol, widely adopted by various public and private entities but not tied to any particular vendor's technology. It supports all major operating systems, like Windows, macOS, GNU/Linux, Android, and iOS. Because of standardization, wide adoption, cross-platform compatibility, and adaptability, OpenPGP's interoperability significantly contributes to reducing development time, costs, and technical hurdles. From 3c75ccc3c5eb45bcb121f78a015f08cedd76b5aa Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 14:53:38 +0200 Subject: [PATCH 12/42] edit certificates and keys concept section --- book/source/02-highlevel.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index d916a5f..23e2f10 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -92,17 +92,17 @@ There is [ongoing work](https://datatracker.ietf.org/doc/draft-wussler-openpgp-p ## Concepts -### Certificates/Keys +### Certificates and keys in OpenPGP -Use of OpenPGP is centered around cryptographic keys. +OpenPGP revolves fundamentally around the concept of cryptographic keys. -In OpenPGP, bare cryptographic keys are combined with additional metadata into "OpenPGP certificates," which are a relatively complex data structure (OpenPGP certificates are also often called "OpenPGP keys"). +In this framework, bare cryptographic keys are combined with additional metadata to form what are known as "OpenPGP certificates." These certificates are relatively complex data structures, also commonly referred to as "OpenPGP keys". -An OpenPGP certificate can evolve over time, with components being added, expiring, or being marked as invalid. +An OpenPGP certificate is dynamic, evolving over time as components are added, expire, or are marked as invalid. -See the chapter about [OpenPGP certificates](certificates_chapter) for details, and internal structure, and the chapter about [private keys](private_key_chapter) for handling of private key material in OpenPGP. +For detailed information on structure and handling, read our chapters on OpenPGP [certificates"](certificates_chapter) and [private keys](private_key_chapter). -Other important topics around certificates are their management, authentication, and trust models. We will only touch on those, in this document. +Beyond the basics, managing certificates, as well as understanding their authentication and trust models, are crucial topics. Though this document will only briefly touch on these aspects, they constitute an integral part of working with OpenPGP. ### High-Level operations From 985f29d4c751a0062cfa69bc4b833ccc95110a3f Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 14:59:12 +0200 Subject: [PATCH 13/42] fix punctuation --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 23e2f10..bccb6cd 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -96,7 +96,7 @@ There is [ongoing work](https://datatracker.ietf.org/doc/draft-wussler-openpgp-p OpenPGP revolves fundamentally around the concept of cryptographic keys. -In this framework, bare cryptographic keys are combined with additional metadata to form what are known as "OpenPGP certificates." These certificates are relatively complex data structures, also commonly referred to as "OpenPGP keys". +In this framework, bare cryptographic keys are combined with additional metadata to form what are known as "OpenPGP certificates." These certificates are relatively complex data structures, also commonly referred to as "OpenPGP keys." An OpenPGP certificate is dynamic, evolving over time as components are added, expire, or are marked as invalid. From b3338bb4e293a7d60eceef7e9605526b62ebfda7 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 15:47:48 +0200 Subject: [PATCH 14/42] note that an issue needs to be created re OpenPGP line --- book/source/02-highlevel.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index bccb6cd..f72ef5d 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -45,13 +45,13 @@ The name OpenPGP can be used freely by implementations, unlike the name PGP, whi GnuPG was a major early implementation of OpenPGP. Over the years, the importance of GnuPG has grown significantly as it became a foundational tool for email security, software signing, and more. It played an important (and successful) role in the [release of NSA documents](https://theintercept.com/2014/10/28/smuggling-snowden-secrets/) by [Edward Snowden](https://en.wikipedia.org/wiki/Edward_Snowden). -The GnuPG program binary is called "gpg," thus the names "GnuPG" and "gpg" are often used interchangeably. - -Note: The terms "pgp key" and "gpg key" are sometimes used. Since PGP and GnuPG are just two of many existing OpenPGP implementations, the proper term is "OpenPGP key" (or "OpenPGP certificate", more on that [later](certificates_chapter)). +Because the GnuPG program binary is called "gpg," "GnuPG" and "gpg" are often used interchangeably. ```{admonition} TODO -:class: warning -Heiko, I do not believe the above section on the binary needs to be in this history section. Also, I have added Werner Koch by name to this history, bringing his contribution to the level afforded Zimmerman and Snowden. +Move this to an issue: +The following statement does not make sense here in the history part. + +: The terms "pgp key" and "gpg key" are sometimes used. Since PGP and GnuPG are just two of many existing OpenPGP implementations, the proper term is "OpenPGP key" (or "OpenPGP certificate", more on that [later](certificates_chapter)). ``` ## The OpenPGP version 4 era From 5b5e449925ebd9567111fbd5e38873e7be9f1959 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 15:48:29 +0200 Subject: [PATCH 15/42] note that an issue needs to be created re v5 --- book/source/02-highlevel.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index f72ef5d..4b18a21 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -70,7 +70,9 @@ Today, multiple implementations of OpenPGP play important roles: - The RPM Package Manager software includes an OpenPGP backend based on [Sequoia PGP](https://sequoia-pgp.org/), a modern OpenPGP implementation written in Rust. The Fedora operating system, Fedora Linux 38, [uses Sequoia PGP in rpm](https://sequoia-pgp.org/blog/2023/04/27/rpm-sequoia/). ## The road ahead - +```{admonition} TODO +Let's insert a line about v5. +``` ### OpenPGP version 6 As of this writing (in 2023), [version 6 of OpenPGP](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) is approaching publication as an RFC. From bfb34f8f6b22ce688aa52a1872a4b01e72542bda Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 15:55:29 +0200 Subject: [PATCH 16/42] change header on implementations --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 4b18a21..6c94707 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -61,7 +61,7 @@ The following statement does not make sense here in the history part. In 2007, the IETF published [RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880), which defined version 4 of the OpenPGP standard. At this time, version 4 is the most commonly used version. -### Multiple major implementations +### Major implementations m of OpenPGP Today, multiple implementations of OpenPGP play important roles: From 02603ef7db371b75458906b7acab6805602f9bd9 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 16:07:40 +0200 Subject: [PATCH 17/42] correct typo --- book/source/02-highlevel.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 6c94707..dce79ec 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -61,7 +61,7 @@ The following statement does not make sense here in the history part. In 2007, the IETF published [RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880), which defined version 4 of the OpenPGP standard. At this time, version 4 is the most commonly used version. -### Major implementations m of OpenPGP +### Major implementations of OpenPGP Today, multiple implementations of OpenPGP play important roles: @@ -93,7 +93,9 @@ Significant support for OpenPGP version 6 has already been achieved for multiple There is [ongoing work](https://datatracker.ietf.org/doc/draft-wussler-openpgp-pqc/) to standardize and add support for post-quantum public-key algorithms in OpenPGP. This project is funded by the [german "BSI"](https://en.wikipedia.org/wiki/Federal_Office_for_Information_Security). Goals include adding support for post-quantum cryptography to Thunderbird and GnuPG. A [presentation](https://datatracker.ietf.org/meeting/113/materials/slides-113-openpgp-a-post-quantum-approach-for-openpgp-00) was given at [IETF 113](https://datatracker.ietf.org/meeting/113/session/openpgp/). ## Concepts - +```{admonition} TODO +Move operations to Ch1, figure out where to place or abbreviate certificates and keys section, drop building blocks and interoperability +``` ### Certificates and keys in OpenPGP OpenPGP revolves fundamentally around the concept of cryptographic keys. From a8c14033a7aa6a8c71f6a6eb6b00b54be0c22bf0 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 16:14:07 +0200 Subject: [PATCH 18/42] correct typo --- book/source/02-highlevel.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index dce79ec..2e9fab5 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -94,7 +94,7 @@ There is [ongoing work](https://datatracker.ietf.org/doc/draft-wussler-openpgp-p ## Concepts ```{admonition} TODO -Move operations to Ch1, figure out where to place or abbreviate certificates and keys section, drop building blocks and interoperability +Move operations & building blocks statement to Ch1, create Ch2a with the rest ``` ### Certificates and keys in OpenPGP @@ -104,7 +104,7 @@ In this framework, bare cryptographic keys are combined with additional metadata An OpenPGP certificate is dynamic, evolving over time as components are added, expire, or are marked as invalid. -For detailed information on structure and handling, read our chapters on OpenPGP [certificates"](certificates_chapter) and [private keys](private_key_chapter). +For detailed information on structure and handling, read our chapters on OpenPGP [certificates](certificates_chapter) and [private keys](private_key_chapter). Beyond the basics, managing certificates, as well as understanding their authentication and trust models, are crucial topics. Though this document will only briefly touch on these aspects, they constitute an integral part of working with OpenPGP. From b39d8082901d0d3d15150a917d6f2bcdfe606e9b Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 16:25:14 +0200 Subject: [PATCH 19/42] move interoperability section --- book/source/02-highlevel.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 2e9fab5..5d04713 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -69,6 +69,12 @@ Today, multiple implementations of OpenPGP play important roles: - The Mozilla Thunderbird email software uses [RNP](https://www.rnpgp.org/), its C++ implementation of OpenPGP. - The RPM Package Manager software includes an OpenPGP backend based on [Sequoia PGP](https://sequoia-pgp.org/), a modern OpenPGP implementation written in Rust. The Fedora operating system, Fedora Linux 38, [uses Sequoia PGP in rpm](https://sequoia-pgp.org/blog/2023/04/27/rpm-sequoia/). +### Interoperability + +OpenPGP was standardized in 1997 to encourage development of interoperable implementations. This has already been a success early on, but in recent years, there has been [much development of new implementations](major_implementations). + +Historically, interoperability has only been tested in an adhoc manner. Since 2019, the Sequoia project is maintaining and operating the ["OpenPGP interoperability test suite"](https://tests.sequoia-pgp.org/), for more rigorous and systematic testing. The test suite has identified numerous [issues](https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite#hall-of-fame). + ## The road ahead ```{admonition} TODO Let's insert a line about v5. @@ -94,7 +100,7 @@ There is [ongoing work](https://datatracker.ietf.org/doc/draft-wussler-openpgp-p ## Concepts ```{admonition} TODO -Move operations & building blocks statement to Ch1, create Ch2a with the rest +Move operations & building blocks statement to Ch1, move certificate and keys section to Ch4 ``` ### Certificates and keys in OpenPGP @@ -121,11 +127,6 @@ With OpenPGP it's possible to: To perform these high-level operations, a set of [established cryptographic mechanisms](cyrptography_chapter) are used as building blocks, and combined into OpenPGP's format, which additionally deals with identities and their verification. (interop_section)= -## Interoperability - -OpenPGP was standardized in 1997 to encourage development of interoperable implementations. This has already been a success early on, but in recent years, there has been [much development of new implementations](major_implementations). - -Historically, interoperability has only been tested in an adhoc manner. Since 2019, the Sequoia project is maintaining and operating the ["OpenPGP interoperability test suite"](https://tests.sequoia-pgp.org/), for more rigorous and systematic testing. The test suite has identified numerous [issues](https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite#hall-of-fame). ## Zooming in: Internal structure of OpenPGP data From 9ba166f4df70e533451110ec773ae14040683b20 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 16:27:41 +0200 Subject: [PATCH 20/42] remove (interop_section)= line --- book/source/02-highlevel.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 5d04713..36bf31b 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -126,8 +126,6 @@ With OpenPGP it's possible to: To perform these high-level operations, a set of [established cryptographic mechanisms](cyrptography_chapter) are used as building blocks, and combined into OpenPGP's format, which additionally deals with identities and their verification. -(interop_section)= - ## Zooming in: Internal structure of OpenPGP data OpenPGP data is internally structured as "packets." We'll look into examples of this internal structure throughout the following chapters. From 8e8507ebbf99846da1d10b210b95fca2cfe5e2ce Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Fri, 6 Oct 2023 16:32:52 +0200 Subject: [PATCH 21/42] add note regarding zoom in intructions --- book/source/02-highlevel.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 36bf31b..7b14735 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -126,6 +126,9 @@ With OpenPGP it's possible to: To perform these high-level operations, a set of [established cryptographic mechanisms](cyrptography_chapter) are used as building blocks, and combined into OpenPGP's format, which additionally deals with identities and their verification. +```{admonition} TODO +Ch1 needs a "how to read this document" section and each of the Zoom-in sections needs its "you've landed here so let's explain this to you" line of some kind +``` ## Zooming in: Internal structure of OpenPGP data OpenPGP data is internally structured as "packets." We'll look into examples of this internal structure throughout the following chapters. From c65141a712eb96eaed3dd55cc284fb254240fbae Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 13:11:54 +0200 Subject: [PATCH 22/42] clarify why there is no v5 --- book/source/02-highlevel.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 7b14735..2ba79c4 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -76,9 +76,8 @@ OpenPGP was standardized in 1997 to encourage development of interoperable imple Historically, interoperability has only been tested in an adhoc manner. Since 2019, the Sequoia project is maintaining and operating the ["OpenPGP interoperability test suite"](https://tests.sequoia-pgp.org/), for more rigorous and systematic testing. The test suite has identified numerous [issues](https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite#hall-of-fame). ## The road ahead -```{admonition} TODO -Let's insert a line about v5. -``` +> **Note:** Software and protocol development sometimes skip version numbers due to reasons like internal testing, significant changes, avoiding confusion, marketing decisions, or technical issues. The official successor to OpenPGP version 4 is OpenPGP version 6, detailed below. + ### OpenPGP version 6 As of this writing (in 2023), [version 6 of OpenPGP](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) is approaching publication as an RFC. From 9ff8b69cb79e3b129c046c6211c269e7b968edf4 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 13:16:59 +0200 Subject: [PATCH 23/42] move high-level operations to Ch1 --- book/source/02-highlevel.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 2ba79c4..6be9835 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -113,14 +113,6 @@ For detailed information on structure and handling, read our chapters on OpenPGP Beyond the basics, managing certificates, as well as understanding their authentication and trust models, are crucial topics. Though this document will only briefly touch on these aspects, they constitute an integral part of working with OpenPGP. -### High-Level operations - -With OpenPGP it's possible to: - -- [Encrypt](encryption_chapter) and [Decrypt](decryption_chapter) Messages -- [Sign](signing_data) and [Verify](verification_chapter) Data -- [Issue and examine Statements](certifications_chapter) about Keys and Identities (to perform CA-like functionality) - ### Building blocks To perform these high-level operations, a set of [established cryptographic mechanisms](cyrptography_chapter) are used as building blocks, and combined into OpenPGP's format, which additionally deals with identities and their verification. From f0db3cb5cc57d41ce958a126a3c735256f872ee9 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 13:18:30 +0200 Subject: [PATCH 24/42] move building blocks to Ch1 --- book/source/02-highlevel.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 6be9835..ae74fc0 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -113,10 +113,6 @@ For detailed information on structure and handling, read our chapters on OpenPGP Beyond the basics, managing certificates, as well as understanding their authentication and trust models, are crucial topics. Though this document will only briefly touch on these aspects, they constitute an integral part of working with OpenPGP. -### Building blocks - -To perform these high-level operations, a set of [established cryptographic mechanisms](cyrptography_chapter) are used as building blocks, and combined into OpenPGP's format, which additionally deals with identities and their verification. - ```{admonition} TODO Ch1 needs a "how to read this document" section and each of the Zoom-in sections needs its "you've landed here so let's explain this to you" line of some kind ``` From ff96d27b2e62635fe343bedd8d3524ee4419b57e Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 13:19:47 +0200 Subject: [PATCH 25/42] move certificate and keys section to Ch4 --- book/source/02-highlevel.md | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index ae74fc0..b50fa65 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -97,22 +97,6 @@ Significant support for OpenPGP version 6 has already been achieved for multiple There is [ongoing work](https://datatracker.ietf.org/doc/draft-wussler-openpgp-pqc/) to standardize and add support for post-quantum public-key algorithms in OpenPGP. This project is funded by the [german "BSI"](https://en.wikipedia.org/wiki/Federal_Office_for_Information_Security). Goals include adding support for post-quantum cryptography to Thunderbird and GnuPG. A [presentation](https://datatracker.ietf.org/meeting/113/materials/slides-113-openpgp-a-post-quantum-approach-for-openpgp-00) was given at [IETF 113](https://datatracker.ietf.org/meeting/113/session/openpgp/). -## Concepts -```{admonition} TODO -Move operations & building blocks statement to Ch1, move certificate and keys section to Ch4 -``` -### Certificates and keys in OpenPGP - -OpenPGP revolves fundamentally around the concept of cryptographic keys. - -In this framework, bare cryptographic keys are combined with additional metadata to form what are known as "OpenPGP certificates." These certificates are relatively complex data structures, also commonly referred to as "OpenPGP keys." - -An OpenPGP certificate is dynamic, evolving over time as components are added, expire, or are marked as invalid. - -For detailed information on structure and handling, read our chapters on OpenPGP [certificates](certificates_chapter) and [private keys](private_key_chapter). - -Beyond the basics, managing certificates, as well as understanding their authentication and trust models, are crucial topics. Though this document will only briefly touch on these aspects, they constitute an integral part of working with OpenPGP. - ```{admonition} TODO Ch1 needs a "how to read this document" section and each of the Zoom-in sections needs its "you've landed here so let's explain this to you" line of some kind ``` From e5b114a9efa7037a2c9070dbf21e74e7188115e3 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 10:07:04 +0200 Subject: [PATCH 26/42] remove html in markdown --- book/source/02-highlevel.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index b50fa65..3e1fabb 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -7,13 +7,10 @@ OpenPGP is a widely recognized IETF-standardized set of cryptographic operations There are other compelling reasons for why you might consider using OpenPGP in your project: 1. **Decentralized trust model**: OpenPGP's decentralization defines mechanisms for authentication that allow individuals and entities to create and manage their own cryptographic identities. Unlike centralized trust models, decentralized trust models empower individuals and entities to manage their own identities, fostering a community-driven web of trust instead of relying on a centralized authority, thus reducing single points of failure. -
2. **End-to-end encryption**: OpenPGP provides a robust framework for implementing end-to-end encryption. Content remains confidential, verifiable, authenticated, and protected against unauthorized access, even when the communication channel itself might be otherwise compromised. Encryption is crucial in a myriad of scenarios, particularly when transmitting sensitive information such as financial data, personal identification information, or proprietary business data. -
3. **Anonymity and pseudonymity**: In sensitive and volatile situations where identity protection is crucial, OpenPGP can be used to provide a level of anonymity or pseudonymity that helps protect user identities. For example, OpenPGP has been used alongside other privacy tools, such as Tor and VPNs, to provide secure and anonymous communication for whistleblowers, human rights lawyers, activists in repressive regimes, and journalists, reducing their risks for retaliation and state violence. -
4. **Interoperability**: OpenPGP is a a well-structured and standardized protocol, widely adopted by various public and private entities but not tied to any particular vendor's technology. It supports all major operating systems, like Windows, macOS, GNU/Linux, Android, and iOS. Because of standardization, wide adoption, cross-platform compatibility, and adaptability, OpenPGP's interoperability significantly contributes to reducing development time, costs, and technical hurdles. From 7fdcdb2391f4ec81a0dbaf33dd63c0f22f3d7e1a Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 10:09:14 +0200 Subject: [PATCH 27/42] edit, change to 'personally identifiable information (PII)' --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 3e1fabb..bbbffe2 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -8,7 +8,7 @@ There are other compelling reasons for why you might consider using OpenPGP in y 1. **Decentralized trust model**: OpenPGP's decentralization defines mechanisms for authentication that allow individuals and entities to create and manage their own cryptographic identities. Unlike centralized trust models, decentralized trust models empower individuals and entities to manage their own identities, fostering a community-driven web of trust instead of relying on a centralized authority, thus reducing single points of failure. -2. **End-to-end encryption**: OpenPGP provides a robust framework for implementing end-to-end encryption. Content remains confidential, verifiable, authenticated, and protected against unauthorized access, even when the communication channel itself might be otherwise compromised. Encryption is crucial in a myriad of scenarios, particularly when transmitting sensitive information such as financial data, personal identification information, or proprietary business data. +2. **End-to-end encryption**: OpenPGP provides a robust framework for implementing end-to-end encryption. Content remains confidential, verifiable, authenticated, and protected against unauthorized access, even when the communication channel itself might be otherwise compromised. Encryption is crucial in a myriad of scenarios, particularly when transmitting sensitive information such as financial data, personally identifiable information (PII), or proprietary business data. 3. **Anonymity and pseudonymity**: In sensitive and volatile situations where identity protection is crucial, OpenPGP can be used to provide a level of anonymity or pseudonymity that helps protect user identities. For example, OpenPGP has been used alongside other privacy tools, such as Tor and VPNs, to provide secure and anonymous communication for whistleblowers, human rights lawyers, activists in repressive regimes, and journalists, reducing their risks for retaliation and state violence. From 694723910196419933de61ed6aac07928c09c5fe Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 10:11:40 +0200 Subject: [PATCH 28/42] removed extra a, changed like to such as --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index bbbffe2..7cc4aa8 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -12,7 +12,7 @@ There are other compelling reasons for why you might consider using OpenPGP in y 3. **Anonymity and pseudonymity**: In sensitive and volatile situations where identity protection is crucial, OpenPGP can be used to provide a level of anonymity or pseudonymity that helps protect user identities. For example, OpenPGP has been used alongside other privacy tools, such as Tor and VPNs, to provide secure and anonymous communication for whistleblowers, human rights lawyers, activists in repressive regimes, and journalists, reducing their risks for retaliation and state violence. -4. **Interoperability**: OpenPGP is a a well-structured and standardized protocol, widely adopted by various public and private entities but not tied to any particular vendor's technology. It supports all major operating systems, like Windows, macOS, GNU/Linux, Android, and iOS. Because of standardization, wide adoption, cross-platform compatibility, and adaptability, OpenPGP's interoperability significantly contributes to reducing development time, costs, and technical hurdles. +4. **Interoperability**: OpenPGP is a well-structured and standardized protocol, widely adopted by various public and private entities but not tied to any particular vendor's technology. It supports all major operating systems, such as Windows, macOS, GNU/Linux, Android, and iOS. Because of standardization, wide adoption, cross-platform compatibility, and adaptability, OpenPGP's interoperability significantly contributes to reducing development time, costs, and technical hurdles. ## A very brief history From e968ad9c75330c0dc09a0c28363416c5446e9a7d Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 10:12:59 +0200 Subject: [PATCH 29/42] added in --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 7cc4aa8..dd4fed1 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -32,7 +32,7 @@ The original PGP software was never under a Free Software license, despite being While PGP was first developed as commercial software, the owner at the time, PGP Inc., started a standardization effort with the IETF, first publishing [RFC 1991 "PGP Message Exchange Formats"](https://datatracker.ietf.org/doc/html/rfc1991) in August 1996. -In July 1997, a process to produce an open standard under the then new name [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) was started, resulting in [RFC 2440 "OpenPGP Message Format"](https://datatracker.ietf.org/doc/html/rfc2440), published November 1998. RFC 2440 describes OpenPGP version 3. +In July 1997, a process to produce an open standard under the then new name [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) was started, resulting in [RFC 2440 "OpenPGP Message Format"](https://datatracker.ietf.org/doc/html/rfc2440), published in November 1998. RFC 2440 describes OpenPGP version 3. The name OpenPGP can be used freely by implementations, unlike the name PGP, which is a [registered trademark](https://uspto.report/TM/74685229)). From 705f651a89ef3605904388cfdb65954c5976f548 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 10:18:31 +0200 Subject: [PATCH 30/42] add s --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index dd4fed1..6414fd1 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -73,7 +73,7 @@ OpenPGP was standardized in 1997 to encourage development of interoperable imple Historically, interoperability has only been tested in an adhoc manner. Since 2019, the Sequoia project is maintaining and operating the ["OpenPGP interoperability test suite"](https://tests.sequoia-pgp.org/), for more rigorous and systematic testing. The test suite has identified numerous [issues](https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite#hall-of-fame). ## The road ahead -> **Note:** Software and protocol development sometimes skip version numbers due to reasons like internal testing, significant changes, avoiding confusion, marketing decisions, or technical issues. The official successor to OpenPGP version 4 is OpenPGP version 6, detailed below. +> **Note:** Software and protocol development sometimes skips version numbers due to reasons like internal testing, significant changes, avoiding confusion, marketing decisions, or technical issues. The official successor to OpenPGP version 4 is OpenPGP version 6, detailed below. ### OpenPGP version 6 From 250c9f42eb761eab0015ae33c02eded7ab7413df Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 10:26:39 +0200 Subject: [PATCH 31/42] insert comma --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 6414fd1..b10504e 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -2,7 +2,7 @@ ## Why OpenPGP? -OpenPGP is a widely recognized IETF-standardized set of cryptographic operations. It is broadly used in securing communications, for example, in encrypted text messages and email, and enjoys a vast ecosystem of libraries, tools, and community support forums. Moreover, its robustness and versatility has made OpenPGP a security choice for other use cases in which encryption is important. These include file transfer applications, password managers, and secure data storage. +OpenPGP is a widely recognized, IETF-standardized set of cryptographic operations. It is broadly used in securing communications, for example, in encrypted text messages and email, and enjoys a vast ecosystem of libraries, tools, and community support forums. Moreover, its robustness and versatility has made OpenPGP a security choice for other use cases in which encryption is important. These include file transfer applications, password managers, and secure data storage. There are other compelling reasons for why you might consider using OpenPGP in your project: From 25f9252e48ae3ca422bd0a52d07db7fce5b2dd56 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 10:31:24 +0200 Subject: [PATCH 32/42] add Bouncy Castle, remove PGPainless --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index b10504e..d63f4c6 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -84,9 +84,9 @@ This document describes OpenPGP version 6, while pointing out differences to pre Significant support for OpenPGP version 6 has already been achieved for multiple implementations, including: +- [Bouncy Castle Java](https://github.com/bcgit/bc-java/issues/1421), - [GopenPGP](https://github.com/ProtonMail/gopenpgp/tree/v3), - [OpenPGP.js](https://github.com/openpgpjs/openpgpjs/tree/v6), -- [PGPainless](https://github.com/pgpainless/pgpainless/milestone/6), - [PGPy](https://github.com/dkg/PGPy/tree/dkg/crypto-refresh), - [Sequoia PGP](https://gitlab.com/sequoia-pgp/sequoia/-/tree/crypto-refresh). From 121119c7097e34b0972acf4f82f283d3a4b46a24 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 10:48:34 +0200 Subject: [PATCH 33/42] clarify timeframe on v4 popularity --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index d63f4c6..ea79722 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -55,7 +55,7 @@ The following statement does not make sense here in the history part. ### OpenPGP version 4 -In 2007, the IETF published [RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880), which defined version 4 of the OpenPGP standard. At this time, version 4 is the most commonly used version. +In 2007, the IETF published [RFC 4880](https://datatracker.ietf.org/doc/html/rfc4880), which defined version 4 of the OpenPGP standard. As of late 2023, version 4 is the most commonly used version. ### Major implementations of OpenPGP From cf553aba38570a3d3488cf25946644f69f9e026a Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 11:21:59 +0200 Subject: [PATCH 34/42] edit details on PGP distribution --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index ea79722..bbc66eb 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -26,7 +26,7 @@ The origins of OpenPGP can be traced back to *Pretty Good Privacy (PGP)*, a soft The original PGP software played a role in the political struggles sometimes referred to as the ["Crypto Wars"](https://en.wikipedia.org/wiki/Crypto_Wars) (also see ["Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital" (2002)](https://en.wikipedia.org/wiki/Crypto_(book)), which includes some of PGP's history). -The original PGP software was never under a Free Software license, despite being widely published. [PGP's ownership has changed over the years](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_and_Symantec), and [PGP's scope and suite of products have expanded] (https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_encryption_applications). +The original PGP software was never under a Free Software license, despite its source code being widely published by its author. [PGP's ownership has changed over the years](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_and_Symantec), and [PGP's scope and suite of products have expanded] (https://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_encryption_applications). ### Standardizing OpenPGP From 62bf41b0401631e0e5a347b5844dc26945196aed Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 12 Oct 2023 10:39:31 +0200 Subject: [PATCH 35/42] re-add (interop_section) link target --- book/source/02-highlevel.md | 1 + 1 file changed, 1 insertion(+) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index bbc66eb..9d0a24b 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -66,6 +66,7 @@ Today, multiple implementations of OpenPGP play important roles: - The Mozilla Thunderbird email software uses [RNP](https://www.rnpgp.org/), its C++ implementation of OpenPGP. - The RPM Package Manager software includes an OpenPGP backend based on [Sequoia PGP](https://sequoia-pgp.org/), a modern OpenPGP implementation written in Rust. The Fedora operating system, Fedora Linux 38, [uses Sequoia PGP in rpm](https://sequoia-pgp.org/blog/2023/04/27/rpm-sequoia/). +(interop_section)= ### Interoperability OpenPGP was standardized in 1997 to encourage development of interoperable implementations. This has already been a success early on, but in recent years, there has been [much development of new implementations](major_implementations). From 4fb5fb4fff65d0839172f854745fd5b56a34b99a Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 12 Oct 2023 11:28:13 +0200 Subject: [PATCH 36/42] use myst "note" markup --- book/source/02-highlevel.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 9d0a24b..2b853cb 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -74,7 +74,10 @@ OpenPGP was standardized in 1997 to encourage development of interoperable imple Historically, interoperability has only been tested in an adhoc manner. Since 2019, the Sequoia project is maintaining and operating the ["OpenPGP interoperability test suite"](https://tests.sequoia-pgp.org/), for more rigorous and systematic testing. The test suite has identified numerous [issues](https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite#hall-of-fame). ## The road ahead -> **Note:** Software and protocol development sometimes skips version numbers due to reasons like internal testing, significant changes, avoiding confusion, marketing decisions, or technical issues. The official successor to OpenPGP version 4 is OpenPGP version 6, detailed below. + +```{note} +Software and protocol development sometimes skips version numbers due to reasons like internal testing, significant changes, avoiding confusion, marketing decisions, or technical issues. The official successor to OpenPGP version 4 is OpenPGP version 6, detailed below. +``` ### OpenPGP version 6 @@ -98,6 +101,7 @@ There is [ongoing work](https://datatracker.ietf.org/doc/draft-wussler-openpgp-p ```{admonition} TODO Ch1 needs a "how to read this document" section and each of the Zoom-in sections needs its "you've landed here so let's explain this to you" line of some kind ``` + ## Zooming in: Internal structure of OpenPGP data OpenPGP data is internally structured as "packets." We'll look into examples of this internal structure throughout the following chapters. From 731c92d9fcb417e1ac79128095d183dc73ed660e Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 12 Oct 2023 11:50:15 +0200 Subject: [PATCH 37/42] moved note into https://codeberg.org/openpgp/notes/issues/56 --- book/source/02-highlevel.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 2b853cb..6654e3d 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -44,13 +44,6 @@ GnuPG was a major early implementation of OpenPGP. Over the years, the importanc Because the GnuPG program binary is called "gpg," "GnuPG" and "gpg" are often used interchangeably. -```{admonition} TODO -Move this to an issue: -The following statement does not make sense here in the history part. - -: The terms "pgp key" and "gpg key" are sometimes used. Since PGP and GnuPG are just two of many existing OpenPGP implementations, the proper term is "OpenPGP key" (or "OpenPGP certificate", more on that [later](certificates_chapter)). -``` - ## The OpenPGP version 4 era ### OpenPGP version 4 From b18f1eefecc30bb97ebf627c5cc653c901d4ac94 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 12 Oct 2023 11:56:18 +0200 Subject: [PATCH 38/42] moved to https://codeberg.org/openpgp/notes/issues/57 --- book/source/02-highlevel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 6654e3d..2070068 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -92,7 +92,7 @@ Significant support for OpenPGP version 6 has already been achieved for multiple There is [ongoing work](https://datatracker.ietf.org/doc/draft-wussler-openpgp-pqc/) to standardize and add support for post-quantum public-key algorithms in OpenPGP. This project is funded by the [german "BSI"](https://en.wikipedia.org/wiki/Federal_Office_for_Information_Security). Goals include adding support for post-quantum cryptography to Thunderbird and GnuPG. A [presentation](https://datatracker.ietf.org/meeting/113/materials/slides-113-openpgp-a-post-quantum-approach-for-openpgp-00) was given at [IETF 113](https://datatracker.ietf.org/meeting/113/session/openpgp/). ```{admonition} TODO -Ch1 needs a "how to read this document" section and each of the Zoom-in sections needs its "you've landed here so let's explain this to you" line of some kind +each of the Zoom-in sections needs its "you've landed here so let's explain this to you" line of some kind ``` ## Zooming in: Internal structure of OpenPGP data From ea74ed2128f7a7619841b142c40847b6aa639072 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 12 Oct 2023 11:56:53 +0200 Subject: [PATCH 39/42] moved to https://codeberg.org/openpgp/notes/issues/58 --- book/source/02-highlevel.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/book/source/02-highlevel.md b/book/source/02-highlevel.md index 2070068..221ee5b 100644 --- a/book/source/02-highlevel.md +++ b/book/source/02-highlevel.md @@ -91,10 +91,6 @@ Significant support for OpenPGP version 6 has already been achieved for multiple There is [ongoing work](https://datatracker.ietf.org/doc/draft-wussler-openpgp-pqc/) to standardize and add support for post-quantum public-key algorithms in OpenPGP. This project is funded by the [german "BSI"](https://en.wikipedia.org/wiki/Federal_Office_for_Information_Security). Goals include adding support for post-quantum cryptography to Thunderbird and GnuPG. A [presentation](https://datatracker.ietf.org/meeting/113/materials/slides-113-openpgp-a-post-quantum-approach-for-openpgp-00) was given at [IETF 113](https://datatracker.ietf.org/meeting/113/session/openpgp/). -```{admonition} TODO -each of the Zoom-in sections needs its "you've landed here so let's explain this to you" line of some kind -``` - ## Zooming in: Internal structure of OpenPGP data OpenPGP data is internally structured as "packets." We'll look into examples of this internal structure throughout the following chapters. From f93b74638d24398cab968505a4d3b9f068b26663 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 11:54:40 +0200 Subject: [PATCH 40/42] change to 'enable' for clarity --- book/source/01-intro.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/01-intro.md b/book/source/01-intro.md index c6b9577..438d904 100644 --- a/book/source/01-intro.md +++ b/book/source/01-intro.md @@ -16,7 +16,7 @@ With OpenPGP, you can: - [Sign](signing_data) and [verify](verification_chapter) data - [Issue certifications and examine statements](certifications_chapter) about keys and identities, similar to the role of a Certificate Authority in validating identities. -To achieve these operations, OpenPGP utilizes a set of [established cryptographic mechanisms](cyrptography_chapter). These building blocks are integrated into OpenPGP's standard, which also addresses identities and their verification. +To enable these operations, OpenPGP utilizes a set of [established cryptographic mechanisms](cyrptography_chapter). These building blocks are integrated into OpenPGP's standard, which also addresses identities and their verification. ## Who is the audience for this document? From 9a3bb1623676bd72fc1fa4b4ed6a6e556405482b Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 9 Oct 2023 12:48:25 +0200 Subject: [PATCH 41/42] sphinx conf: more minimalistic output --- book/source/conf.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/book/source/conf.py b/book/source/conf.py index c451430..c734f9d 100644 --- a/book/source/conf.py +++ b/book/source/conf.py @@ -29,8 +29,13 @@ exclude_patterns = [] html_theme = 'alabaster' html_static_path = ['_static'] +html_show_sphinx = False +html_show_copyright = False +html_show_sourcelink = False + # https://github.com/sphinx-doc/alabaster/blob/0.x/alabaster/theme.conf html_theme_options = { 'code_font_size': '9pt', 'show_relbars': 'yes', + 'show_powered_by': False, } From a0a33b13b474f8fdb4b020b757586bad7fdeb207 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 5 Oct 2023 13:34:37 +0200 Subject: [PATCH 42/42] ch1: notes on the elaboration --- book/source/01-intro.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/book/source/01-intro.md b/book/source/01-intro.md index 438d904..3fa5b10 100644 --- a/book/source/01-intro.md +++ b/book/source/01-intro.md @@ -32,6 +32,15 @@ This document is focused on the second group, application developers, who use Op :class: warning Heiko, we should elaborate a bit on why here + +arguments: + +- standardized cryptographic system +- long history, broard support +- lately: many high-quality, modern, library implementations (in the past there were no good ways to integrate openpgp into applications) +- the new version of the standard is almost ready, defining a modernized version 6 of the protocol + +- all of this together: it's now easier than ever to add openpgp functionality to applications, and the updated standard brings the cryptographic building blocks up to the state of the art ``` This document is not intended for end-users. It is also not for implementers of OpenPGP libraries (or other software that directly handles internal OpenPGP data structures).