Since September 2023, nearly all paid work on Sequoia has been financed by the Sovereign Tech Fund (STF). The technical focus of the award is on the maintenance and development of sq, our command-line front-end, and sequoia-openpgp, our core library. But the scope is not limited to development work: STF is also supporting our standardization work, and community outreach. In this blog post, I’ll highlight some our recent community work.

Presentations

Sequoia PGP: Following a Moral Imperative at Karakun AG

Clicking on the thumbnail will load content from YouTube.

In November, I delivered a talk entitled Sequoia PGP: Following a Moral Imperative at Karakun AG in Basel, Switzerland. I was invited by Christian Ribeaud, who works at Karakun AG. Karakun AG is a software development company, and is one of the entities working with the Swiss Institute of Bioinformatics (SIB) on a tool called sett, which hospitals and researchers in Switzerland use to exchange privacy sensitive data. (Here’s a presentation about sett.) We’ve been in regular contact with the sett developers since shortly after they decided to switch to Sequoia.

The first half of my presentation was a call to action. Just because a client asks you to implement some functionality doesn’t mean that you should do it. As developers, we have the moral imperative to reflect on the possible consequences of what we create, and, if necessary, explain to our clients that violating human rights is non-negotiable. Further, we must resist requests to collect unnecessary data, and we should add end-to-end encryption where possible.

In the the second half of the talk, I presented background information, and technical details about PGP, OpenPGP, and Sequoia PGP. I argued that Sequoia PGP is one possible option that developers should consider to help protect users, but that the most important thing they should do is to respect human rights; the actual technology is secondary.

Interop Testing v6 at IETF 118

Clicking on the thumbnail will load content from YouTube.

At IETF 118, Justus presented his work on our Interoperability Test Suite in particular as regards the upcoming OpenPGP revision. The so-called crypto-refresh has been submitted to the IESG for publication. The proposed standard includes AEAD encryption among many other modernizations.

Justus started the interoperability test suite four years ago. As of the presentation, it included 131 tests, 1510 test vectors, and tested most major OpenPGP implementations. Justus requested that anyone working on an OpenPGP implementation implement the SOP interface, which the test suite uses to execute the tests, and tell him so that he can add their implementation to the test suite’s report.

Sequoia PGP: Rethinking OpenPGP Tooling presentation at FOSDEM

Clicking on the thumbnail will load content from fosdem.org.

At FOSDEM, I presented Sequoia PGP: Rethinking OpenPGP Tooling. The talk was divided into two parts.

In the first part, I told Sequoia’s origin story. I emphasized the debt that Sequoia owes to Werner Koch, GnuPG’s creator and our former employer. I explained that we decided to start Sequoia due to differences in our technical visions; that although we had many technical conversations with Werner, we were unable to find a common ground. Our intention with Sequoia was not to replace GnuPG or somehow steal its users, but to provide users with another option thereby growing OpenPGP’s user base. In that way, we hoped that not only would the ecosystem grow, but privacy and security would improve for all.

In the second half of the talk, I explained Sequoia’s architecture, and how it is not just a reimplementation of GnuPG, but has a different philosophy, and embraces other paradigms. In particular, Sequoia takes a library-first approach, and strives for policy-free, unopinionated, but safe-by-default interfaces. Further, Sequoia focuses on authentication for users with a variety of threat models: from those who only care about their privacy, and are willing to rely on central authorities like CAs, to those who are worried about their personal safety, and only want to rely on a few, highly select entities.

I concluded by reiterating that winning is not having Sequoia or OpenPGP dominate the “market,” but improving the privacy and security of individuals.

Conferences

Over the past few months, we attended IETF 118 in Prague, 37C3, FOSDEM, and MiniDebCamp Hamburg. We had great talks with developers from projects using Sequoia like Qubes OS, Proxmox and Tumpa; with developers from the broader OpenPGP ecosystem, like those working on DeltaChat, a decentralized chat app, which uses mail for its transport layer, Proton’s crypto team who maintain gopenpgp and openpgpjs, and Thunderbird’s e2ee team; and with many other people.

In the coming months, we plan to be at RustNL (May, Netherlands), MiniDebConf Berlin (May, Germany), the OpenPGP Email Summit (June, Germany), and DebConf24 (July, South Korea). If you are attending and want to chat, please feel free to reach out.

Sequoia’s Users

Sequoia doesn’t exist in vacuum: Sequoia’s APIs and functionality are greatly influenced by our users. The most salient feedback we get comes when we engage with them.

sett

The Swiss Institute of Bioinformatics (SIB) commissioned the creation of sett (Secure Encryption and Transfer Tool) for use by Swiss hospitals and researchers to exchange privacy sensitive data.

A few years ago, the developers of sett decided to switch to Sequoia for their OpenPGP needs. Since then, we’ve collaborated with them on a regular basis. We’ve helped out, contributed code, and made a few suggestions. This past November, I also visited them in Basel. In addition to the aforementioned presentation at Karakun, we had a half day meeting during which we discussed some security-relevant details of sett.

SecureDrop

SecureDrop is a whistle-blower platform, which is used by many organizations including The Washington Post and The Guardian.

In 2022, the SecureDrop team started evaluating Sequoia as an alternate OpenPGP implementation. There were two major motivations: the Python library that were using to interact with GnuPG was unmaintained, and SecureDrop had an impedance mismatch with how GnuPG manages certificates:

Using Sequoia as a library should allow us to use only what we actually need to use. We would also no longer be tied to the gpg on-disk keyring, so we could put them in the database.

The SecureDrop team came up with a migration plan. They executed it. And, at the end of last year, they requested an audit. We obliged. I found a few minor issues, which were quickly addressed. Then in November, SecureDrop 2.7.0 was released with Sequoia support!

Kunal Mehta (legoktm), the SecureDrop developer who did most of the work switching SecureDrop to Sequoia, wrote two blog posts about his experience: a more official account of the process, Migrating SecureDrop’s PGP backend from GnuPG to Sequoia, and a more personal missive.

Among other interesting things that Kunal wrote, he said:

We’d like to thank the Sequoia team for its work on developing such a useful and straightforward library

I can only reflect that back to the SecureDrop team, and Kunal, in particular: thanks for the thoughtful interactions and feedback. I look forward to a continued fruitful collaboration!

RPM Package Manager

In 2022, as part of its 4.18 release, RPM switched to Sequoia for its default OpenPGP backend. At the start of 2023, Fedora 38 was the first distribution to adopt the Sequoia-based backend .

As with any change in technology, there are growing pains. And even those differences that are intended need explanation, and have rippling effects, which impact downstream projects and users. Since the Fedora 38 release, a couple of issues have been raised, but we’ve stayed on top of them, and, I think, found satisfactory solutions.

Recently, Panu removed the deprecated OpenPGP backend from RPM, and Sequoia become RPM’s only officially supported OpenPGP backend. Panu Matilainen, RPM’s maintainer wrote:

Million thanks @nwalfield and @teythoon for making this possible!

I can’t believe just how much weight this took off my shoulders 🪶

Every software engineer knows some code is more expensive to maintain than others, but I wonder: how do you measure it? In kilograms? 😄

Since Panu wrote that a month ago, I’ve been at a loss for words. All I can say is: thank you! Collaborating with you was a great pleasure. We had great constructive, and respectful discussions. It’s the type of collaboration that, I think, every software engineer prefers!

Call for Collaboration

If your project is using or thinking about using Sequoia or OpenPGP, we’d be happy to help (even if you don’t end up choosing Sequoia)! If you are interested, feel free to reach out to us.