mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-27 10:02:06 +01:00
88 lines
3.5 KiB
Markdown
88 lines
3.5 KiB
Markdown
# Notes on OpenPGP
|
|
|
|
An introduction to the concepts of OpenPGP, aimed mainly at software
|
|
developers who are looking to use OpenPGP functionality in their projects.
|
|
|
|
This document describes
|
|
[OpenPGP version 6](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/),
|
|
with occasional remarks about differences to earlier versions.
|
|
|
|
This text is *not* intended as a guide for end-users who use OpenPGP-related software.
|
|
|
|
## What is OpenPGP?
|
|
|
|
OpenPGP is an open standard for cryptographic operations.
|
|
It has grown out of the
|
|
["Pretty Good Privacy (PGP)"](https://en.wikipedia.org/wiki/Pretty_Good_Privacy)
|
|
software.
|
|
|
|
OpenPGP is an open standard, there are many widely used
|
|
(and [interoperable](https://tests.sequoia-pgp.org/)) implementations.
|
|
|
|
{::comment}
|
|
Heiko, let's be sure to create our own page on iteroperability instead of linking to this
|
|
{:/comment}
|
|
|
|
## Goals of this document
|
|
|
|
There are three groups of people who interact with OpenPGP:
|
|
|
|
1. End-Users, who use software that contains OpenPGP functionality (e.g., the Thunderbird email software)
|
|
2. Software developers who build applications that contain OpenPGP functionality
|
|
3. Implementers of libraries or software that handles the processing of internal OpenPGP data structures
|
|
|
|
This document is focused at the second of these groups:
|
|
software developers who use OpenPGP functionality in their software projects.
|
|
|
|
It is not intended for end-users who use software that contains OpenPGP functionality.
|
|
|
|
This text aims to describe OpenPGP at the "library-level":
|
|
we teach the concepts that will help you get started as a user of any implementation
|
|
(such as OpenPGP JS, Sequoia PGP, ...)
|
|
|
|
### Requirements
|
|
|
|
We presuppose solid knowledge in both software development concepts,
|
|
and of general cryptographic concepts.
|
|
|
|
OpenPGP is a system based on well-understood cryptographic building blocks.
|
|
We describe the properties of the OpenPGP system, and how to use it.
|
|
|
|
### A companion for the OpenPGP RFC
|
|
|
|
```
|
|
The RFC explains lots of details (which bit goes where) that are crucial
|
|
for implementers, but unimportant for software developers who use OpenPGP
|
|
through a library.
|
|
```
|
|
|
|
The [OpenPGP RFC](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/)
|
|
defines *"the message formats used in OpenPGP"* to *"provide encryption with
|
|
public-key or symmetric cryptographic algorithms, digital signatures,
|
|
compression and key management"*.
|
|
|
|
The RFC, as a standards document, is mainly aimed at the third group:
|
|
Implementers of software that handles internal OpenPGP data structures.
|
|
In that context, the nitty-gritty of which bit of data goes where is crucial.
|
|
|
|
For software developers using OpenPGP through a library, however, it is not.
|
|
This document describes OpenPGP concepts at the "library" level of abstraction,
|
|
and ignores most details about how OpenPGP artifacts are encoded at the lowest level.
|
|
|
|
The idea is to go over various common OpenPGP artifacts, as they are
|
|
currently used, to get an overview.
|
|
|
|
### Covering versions
|
|
|
|
We will mainly cover v6 of OpenPGP, but occasionally point out
|
|
differences to previous versions.
|
|
|
|
Version 4 of OpenPGP will remain relevant for a number of years,
|
|
and some OpenPGP version 3 artifacts are still in use as of this writing (in 2023).
|
|
|
|
For example, the RFC states that implementations MAY accept version 3 signatures.
|
|
Handling version 3 artifacts is relevant in some contexts, where dealing with
|
|
historical OpenPGP material is required.
|
|
|
|
Where differences between versions may be relevant to application developers,
|
|
we will point them out.
|