Secure and Robust

Sequoia focuses on security and robustness in our choice of tools, our development methodology, and feature set.

Read more.

Easy to Use

A library is only as good as its integration in downstream projects. As such, we made ease of use one of our main goals.

Read more.

Holistic Approach

Improving the security of OpenPGP users requires more than a new implementation. Therefore, we are taking a holistic approach and are improving the ecosystem.

Read more.

Testimonials

Sequoia PGP is more than just a reimplementation of an existing tool. The team behind it is rethinking tooling for the broader PGP ecosystem. Their innovative ideas are making PGP easier to use. I can’t wait to see Sequoia PGP be more broadly adopted.

Phil Zimmermann

Creator of PGP
During the last 3 years the PGP ecosystem got un-stuck, largely thanks to the Sequoia project. They put in the gargantuan effort of re-implementing PGP, but also started re-imagining other tools in the ecosystem, with the same common-sense, practical security approach. This is already making a difference for my team, and those whose security we’re responsible for.

Michał "rysiek" Woźniak

Head of Infrastructure and Information Security, OCCRP
Sequoia has fundamentally improved my work on the pEp Engine. I love how fast all the tests run on Sequoia. It’s OBSCENE. With the old PGP implementation it would take nearly 2 minutes to run. With Sequoia, running the whole test suite takes less than 2 seconds. I am… not free from symptoms of ADHD. Running all of the tests on Sequoia means that they’re over before I have time to get distracted. That’s a serious improvement.

Krista Bennett

Senior Developer, the pEp Engine

News

Hello, OpenPGP CA!

By Neal on May 12, 2021

We are pleased to share that version 0.10.1 of OpenPGP CA has been released! This is also the first version which is available on crates.io.

OpenPGP CA is a tool for administrators to create and manage a decentralized, in-house certification authority. OpenPGP CA makes it possible and easy for an organization to delegate authentication decisions to someone they can rely on, like their system administrator. And, external groups and individuals can use these CAs to authenticate certificates for just that organization using OpenPGP’s scoped trust signatures. OpenPGP CA also helps with key discovery and key updates by managing a Web Key Directory (WKD).

Thunderbird, RNP, and the Importance of a Good API

By Neal on May 6, 2021

I was recently talking to a Thunderbird developer about API design. In the course of that conversation, I expressed concerns about RNP, the new OpenPGP implementation that Thunderbird has recently started using in place of GnuPG. That person, skeptical about my assertion that RNP’s API needs improvement, asked “Isn’t it subjective what a better API is?” I’d agree that we don’t yet have good metrics to evaluate an API. But, I disagree that we can’t judge APIs at all. In fact, I suspect, most experienced programmers know a bad API when they see it. Further, I think we can come up with some good heuristics, which I’ll try to do based on my experience working on and with GnuPG, Sequoia, and RNP. Then, I’ll take a look at RNP’s API. Unfortunately, RNP’s API is not only easy to misuse, but it’s misleading, and, as such, shouldn’t yet be used in a safety-critical context. Yet, Thunderbird is relied on by vulnerable people like journalists, activists, lawyers, and their communication partners who need this protection. For me, this means that Thunderbird should reevaluate their decision to use RNP.