Blog

Sequoia's Input to the Upcoming European Open Digital Ecosystem Strategy

The European Commission has requested input to inform the upcoming European Open Digital Ecosystem Strategy. The initiative “will set out: a strategic approach to the open source sector in the EU that addresses the importance of open source as a crucial contribution to EU technological sovereignty, security and competitiveness” and “a strategic and operational framework to strengthen the use, development and reuse of open digital assets within the Commission.”

The following text is our submission. In our response, we highlight issues with the status quo. In particular, we criticize the dominance of American mega-corporations and suggest an alternative approach where no company is too large to fail, we discuss how proprietary software inhibits sovereignty and security and FOSS enables it, and we call for a significant investment in FOSS in the form of something like the proposed EU Sovereign Tech Fund, and the creation of an IT support ecosystem for consumers of FOSS.

Continue reading

Thoughts on To Sign or Not to Sign

39C3, the annual meeting of the Chaos Computer Club (CCC), included a presentation called To sign or not to sign: Practical vulnerabilities in GPG & friends. In their presentation, the security researchers discuss the vulnerabilities that they found in GnuPG, Sequoia, age and minisign. The talk is impressive not the least for the shear number of vulnerabilities (14!) that they found, but also their breadth. They range from buffer overflows, to the use of uninitialized memory, to improper input validation.

In this blog post, I will take a look at the attack that the researchers claim demonstrates a security weakness in Sequoia, and consider its possible impact. In my estimation, this characterization is primarily due to a literal translation of gpg invocations to sq invocations, and the user ignoring sq’s output. As the user is following a recipe, a more realistic analysis should have considered a less naive translation that uses sq’s standard workflows, which would have prevented the attack. That said, the security researchers identify an issue that raises legitimate concerns, and the ecosystem as a whole needs to improve to better protect users.

Continue reading

Post Quantum Cryptography in Sequoia PGP

Post-quantum cryptography is coming to OpenPGP. Over the past three years, several parties have collaborated on a new specification within the IETF OpenPGP working group. That document, Post-Quantum Cryptography in OpenPGP, is making its final steps towards ratification. During the last year, we’ve implemented the standard in Sequoia, and exposed the functionality in various components. In this blog post, I’ll explain what post-quantum cryptography is, why we’ve implemented it, and how to use it.

Continue reading

c’t Open Source Spotlight interview with Neal

Kurz nach dem 1.0 Release von sq, schrieb mir Keywan Tonekaboni eine Mail und fragte mich, ob ich Zeit für ein kurzes Interview für den c’t Open Source Spotlight hätte. Ein paar Tage später erschien das Interview mit einer schönen Einleitung von Keywan. Leider gibt es kein Archiv also habe ich den Inhalt mit Keywans Erlaubnis hier wiedergegeben.

Continue reading

RFC9580 preview release

The Sequoia PGP team is happy to announce the preview release of version 2.0.0-alpha.0 of sequoia-openpgp. sequoia-openpgp is our low-level crate providing OpenPGP data types and associated machinery

This is the first version that supports the new revision of OpenPGP specified in RFC9580 released at the end of July 2024. It is the successor of RFC4880, released in 2007. It brings new cryptographic algorithms to OpenPGP, and deprecates and outright removes old ones. Notably, it specifies AEAD, Argon2, and is the basis of the ongoing PQC work in OpenPGP.

Continue reading

Sequoia PGP: A Sapling Matures: Meet sq 1.0

The Sequoia PGP team is happy to announce the release of version 1.0 of sq. sq is a command-line tool for working with OpenPGP artifacts with a focus on usability, security, and robustness.

After seven years of development, this is sq’s first stable release. A notable change for existing users of sq is that we will no longer change sq’s CLI in an incompatible manner.

Continue reading

Sequoia PGP in Fedora Linux

Fedora 34 was the first version of Fedora to ship Sequoia PGP back in 2021 - a lot has happened since then. In this post, I’ll cover what’s new, and provide some hints for how to get started with some of the more advanced tools.

Continue reading

Sequoia PGP: Out and About

Over the past few months, we’ve attended a number of conferences. In addition to hearing from a lot of people who had helpful feedback and fresh ideas, we’ve also held several presentations.

In this post, I summarize our talks, and link to recordings when they are available. I also report on the OpenPGP Email Summit, which is a yearly gathering of some people from the OpenPGP community. (If you are interested in the so-called LibrePGP / OpenPGP schism, read on.)

At the end, I list where you can meet us in person in the near future. (Spoiler: at Datenspuren in Dresden in September, and IETF 121 in Dublin in November.)

Continue reading

UX studies to test and improve sq

In a few months, we plan to release version 1.0 of sq, our primary command line interface. With version 1.0, we will commit to a long-term stable API. Ideally, that API will also be usable. Although we’ve put in a lot of time thinking about usability, we want your feedback. To this end, we’re conducting a user study.

Continue reading

Sequoia PGP, Community Outreach

Since September 2023, nearly all paid work on Sequoia has been financed by the Sovereign Tech Fund (STF). The technical focus of the award is on the maintenance and development of sq, our command-line front-end, and sequoia-openpgp, our core library. But the scope is not limited to development work: STF is also supporting our standardization work, and community outreach. In this blog post, I’ll highlight some our recent community work.

Continue reading