Sequoia PGP 1.3 is launched

We’re jubilant to yelp the discharge of model 1.3 of our low-diploma
OpenPGP library. For these of you following along at home, you’re
doubtlessly asking what took situation to 1.2. This past Sunday was as soon as PGP’s 30th
birthday. To get a superb time three decades of PGP, we’ve made up our minds to skip
1.2 and straight release 1.3.

Sequoia PGP is the most evolved OpenPGP implementation on hand recently.

30 years is a actually lengthy time for a program. And indeed, recently, the
fashioned PGP implementation isn’t any longer incessantly recognizable
after having changed hands so many occasions. Alternatively, OpenPGP, the
protocol that PGP historical and was as soon as standardized by the IETF first in RFC
1991 in 1996, and up to this point by RFC 2440 and RFC 4880, lives on.
And, it composed has undoubtedly a number of the basic flexible authentication mechanisms
and PKIs. Historically, this has easiest been accessible to evolved
users, but by our work on tools luxuriate in keys.openpgp.org and
OpenPGP CA, we’re beginning to leverage its power to lift solid
and simple-to-exhaust authentication to long-established users. For this motive and
others, Phil Zimmermann, the creator of PGP, has mentioned that “Sequoia
PGP is the most evolved OpenPGP implementation on hand recently.”
We’re proud to get a Champion of Freedom’s endorsement, and ought to composed
proceed to innovate in this home to higher offer protection to the privateness and
security of Web users.

Sequoia 1.3

For the duration of the 1.x release cycle, we’re adding facets, fixing bugs, and
bettering the documentation, whereas maintaining the API proper. Downstream
users ought to composed have the choice to update to model 1.3 with out changing their
code. In December 2020, we commited to offering security fixes for
and declaring the 1.x releases for 1 year. We remain commited to
that promise.

Security Fixes

We’re no longer responsive to any security points in this model of Sequoia.
Alternatively, whereas you are the exhaust of Sequoia with Infuriate, Sequoia’s default
cryptographic backend, please snatch into legend that variations of Infuriate prior
to three.7.3 get a pc virus, which an attacker can exploit to smash Infuriate and
this potential that this intention the exhaust of Sequoia. For more famous facets, please take into legend
CVE-2021-3580 and Infuriate’s release announcement.

Critical Bug Fixes

• #715: The Dwelling windows CNG backend did no longer clamp Curve25519 secret
  key topic cloth before the exhaust of them. This introduced about decryption failures
  when the exhaust of the keys. In keeping with the celebrated, Curve25519 keys
  ought to composed be clamped, then yet one more time, some OpenPGP implementations did no longer attain
  this. Fairly than power the client to create fresh keys, the Dwelling windows
  CNG backend now merely clamps the keys. This also aligns the
  habits of the CNG backend with the Infuriate backend.

• #706: Cert::insert_packets ran in quadratic time. We rewrote
  the deduplication code to bustle in O(n log n) time.

• #699: When CertParser encountered invalid files, it could perchance perchance perchance
  eagerly return the error sooner than returning the already parsed
  certificates. This has been fastened to first return the pending
  certificates and then return the error.

Aspects

• Sequoia now helps first-celebration attestations of third-celebration
  affirmation signatures. This lets certificates holders attest
  to third-celebration certifications over their certificates, and allow
  these certifications to be disbursed by a abuse-resistant
  keyserver (luxuriate in, as an illustration, https://keys.openpgp.org) that
  preserves the holders sovereignty over the suggestions
  disbursed with her cert.

• Sequoia now enables the re-exhaust of session keys. This solves a
  lengthy-standing command: How attain you reply to an email whereas you don’t
  get the certs of every and every recipient? Beforehand, users had
  no likelihood but to reply in plaintext, doubtlessly revealing
  delicate files. With session key re-exhaust, the fashioned
  message’s session key’s historical, which already has been encrypted
  for every recipient in the dialog.

• Sequoia’s certificates builder is now more flexible: it enables
  binding signatures to be personalized. As an illustration, you would add
  notations to it, restricting the utilization of subkeys to particular
  domains.

Contemporary API

The following fresh choices get been added:

• CertBuilder::add_subkey_with
• CertBuilder::add_user_attribute_with
• CertBuilder::add_userid_with
• ComponentBundle::attestations
• Encryptor::with_session_key
• Signature::verify_user_attribute_attestation
• Signature::verify_userid_attestation
• SignatureBuilder::pre_sign
• SignatureBuilder::set_attested_certifications
• SignatureType::AttestationKey
• SubpacketAreas::MAX_SIZE
• SubpacketAreas::attested_certifications
• SubpacketTag::AttestedCertifications
• SubpacketValue::AttestedCertifications
• UserAttributeAmalgamation::attest_certifications
• UserIDAmalgamation::attest_certifications
• ValidUserAttributeAmalgamation::attest_certifications
• ValidUserAttributeAmalgamation::attestation_key_signatures
• ValidUserAttributeAmalgamation::attested_certifications
• ValidUserIDAmalgamation::attest_certifications
• ValidUserIDAmalgamation::attestation_key_signatures
• ValidUserIDAmalgamation::attested_certifications