1. Introducing OpenPGP¶
This documentation project is designed to provide a comprehensive understanding of OpenPGP, highlighting its functionalities and applications for software developers. While this document predominantly references OpenPGP version 6, as outlined in the latest RFC, it is important to note that the fundamental principles and functionalities of OpenPGP have remained consistent across its versions since its first release as an open standard in RFC 2440 in 1998.
This documentation project seeks to introduce all OpenPGP concepts and functionalities to application developers who wish to use it in their projects.
1.1. What is OpenPGP?¶
OpenPGP is an open standard for cryptographic operations. It is a system based on well-understood cryptographic building blocks. OpenPGP supports the secure delivery of files and messages between a sender and a recipient. It also addresses identities and their verification. OpenPGP is an outgrowth of the “Pretty Good Privacy (PGP)” encryption program and has many widely used and interoperable implementations.
With OpenPGP, you can:
Sign and verify data to ensure authenticity
Issue and validate certifications about keys and identities, similar to the role of a Certificate Authority (CA) in validating identities.
1.2. Who is the audience for this document?¶
Three groups of people interact with OpenPGP:
End users, who use software that contains OpenPGP functionality (e.g., the Thunderbird email software)
Software developers who build applications that contain OpenPGP functionality
Implementers of OpenPGP libraries (or other software that directly handles the processing of internal OpenPGP data structures)
This document is not intended for end users.
Instead, this document is mainly aimed at the second group, application developers, who use OpenPGP functionality in their software projects. It describes the properties of the OpenPGP system and its uses. It presupposes solid knowledge of software development concepts and of general cryptographic concepts. Thus, this text describes OpenPGP at the “library-level,” teaching concepts that will help software developers get started as a user of any implementation (e.g., OpenPGP.js, Sequoia-PGP).
The document may also serve as a useful supplement to the RFC for implementers of OpenPGP libraries (or other software that directly handles internal OpenPGP data structures).
With the emergence of a new crop of modern, high-quality OpenPGP libraries, and the imminent release of the updated OpenPGP version 6 specification, we think that now is a great time to implement OpenPGP functionality in applications or to modernize existing OpenPGP subsystems.
The goal of this document is to offer an implementation-independent introduction to the OpenPGP technology, assisting software developers in quickly familiarizing themselves and serving as a pathway to relevant information in the RFC.
1.3. Why not just use the OpenPGP RFC?¶
The OpenPGP RFC defines the message formats used in OpenPGP. That is, it describes the internal structure of OpenPGP data, which is crucial for OpenPGP library implementers. However, this level of detail is not required for software developers who use OpenPGP via a library.
This document describes OpenPGP concepts at the “library” level of abstraction, omitting unnecessary detail about the internal encoding of OpenPGP artifacts. Instead, we focus on the properties of these OpenPGP artifacts and how they are used, while adding context that is not elaborated on in the RFC.
1.4. Which version of OpenPGP does this address?¶
This documentation encompasses the core aspects of modern OpenPGP practices, applicable across different versions. This respects that, at a foundational level, there is significant overlap, continuity, and consistency from its earliest version to its latest.
While using version 6 as a reference for current standards, we include insights derived from earlier versions, particularly version 4, which continues to be widely used in ongoing projects.
Where differences between OpenPGP versions are relevant to application development, we provide focused insights to ensure the content remains as version-agnostic as possible and, thus, broadly applicable for developers working with various iterations of OpenPGP.