The downside of our project approach was that we often got experts being very dismissive on re-using email and #OpenPGP ... and there still is some opposition which often subsides when actually trying #deltachat and #chatmail, looking at security audits and our strong usable security focus.

There may also be surprising upsides. The UK "Online Safety Bill" which attacks end-to-end encryption integrity seems to not apply for ... e-mail. Because everyone knows, e-mail is unencrypted, right? :)

@libreoffice

The #Libreoffice Youtube channel is posting a lot of interesting talks from the "Libreoffice and #Opensource Conference 2024"

Some of them:

#LuxChat for Governments: youtube.com/watch?v=JXdMKaEXq0…

#OpenDesk on #OpenCode: youtube.com/watch?v=rVhAltODe-…

#Education: youtube.com/watch?v=V4fkWfuFXf…

#Encrypted and #Signed Documents (UI, with #OpenPGP or #x509): youtube.com/watch?v=W-qFr8tL-L…

#Matrix #Luxembourg

Luxchat4Gov

A talk from the LibreOffice and Open Source Conference 2024 in Luxembourg, with Patrick Weber. More details: https://events.documentfoundation.org/libreoffic...

^YouTube

I just released versions 0.6.2 of rsop, a stateless #OpenPGP ("SOP") CLI tool based on @rpgp:

crates.io/crates/rsop/

Changes since rsop 0.6.0:

- decryption based on session keys is now supported,
- generation of man pages and shell tab completion has been added,
- some subtle semantics fixes for component key validity were implemented.

For more on #SOP, see datatracker.ietf.org/doc/draft…

#PGP #GnuPG

Six times so far ... is how often important parts of #deltachat were independently #security audited and analyzed. Thanks to IncludeSecurity, Cure53, Applied Crypto Team at ETH Zuerich and Radical Open Security.

Last audit is from December 2024 covering @rpgp , the minimal #OpenPGP Rust library that is gaining traction with others projects as well.
Shout-out to dignifiedquire and @hko for their excellent maintenance! For more info on Delta Chat related security audits: delta.chat/en/help#security-au…

Delta Chat: FAQ

What is Delta Chat? Delta Chat is a reliable, decentralized and secure messaging app, available for mobile and desktop platforms. Delta Chat feels like Whatsapp or Telegram but you can also use and...

^delta.chat

I just released version 0.1.0 of rsop-oct, a new stateless #OpenPGP ("SOP") CLI tool that focuses exclusively on use with OpenPGP card hardware devices:

crates.io/crates/rsop-oct/0.1.…

Like its sibling project #rsop, rsop-oct is based on @rpgp

In the next release of rsop, OpenPGP card functionality will be removed from it.
The goal is to offer clear UX in two distinct simple CLI tools, as opposed to one combined and confusing CLI tool.

For more on #SOP, see datatracker.ietf.org/doc/draft…

#PGP #GnuPG #SOP

I just released version 0.4.1 of #rsop, a stateless #OpenPGP ("SOP") CLI tool based on @rpgp:

crates.io/crates/rsop/0.4.1

This release adds support for the 'revoke-key' command.

For more on #SOP, see datatracker.ietf.org/doc/draft…

#PGP #GnuPG #StatelessOpenPGP

rPGP is an #OpenPGP implementation in pure #Rust (crates.io/crates/pgp).

It serves as the end-to-end encryption engine for Delta Chat:
@delta, a secure decentralized messager for all major platforms (and then some).

rPGP implements all generations of the OpenPGP standard, up to and including the new RFC 9580.

#RustLang #Cryptography #PGP

New release today: #rPGP version 0.14.0 ✨

(#OpenPGP implemented in pure #Rust, permissively licensed)

github.com/rpgp/rpgp/releases/…

This release brings rather complete support for the excellent new OpenPGP RFC 9580 (also known as "crypto refresh", or "v6")

RFC 9580 standardizes modern cryptographic mechanisms for OpenPGP: AEAD-based encryption, Argon2, and SHA2 fingerprints for the new OpenPGP v6 key format (v4 keys use SHA1).

Thanks @NGIZero for supporting this work!

#RustLang #PGP #GnuPG

some news regarding rPGP, the minimal #Rust #OpenPGP implementation that stably provides end-to-end encryption for Delta users since many years:

- a new FAQ including questions about IETF specs, Post-Quantum cryptography, Autocrypt, LibrePGP, Seqouia etc. github.com/rpgp/rpgp/blob/mast…

- NLNET just granted #OpenPGP V6 work on rPGP: nlnet.nl/project/rPGP-cryptore…

rPGP is an independent and stable project which provides good general #OpenPGP interoperability, see "rpgpie" in tests.sequoia-pgp.org/

rpgp/docs/FAQ.md at master · rpgp/rpgp

OpenPGP implemented in pure Rust, permissively licensed - rpgp/rpgp

^GitHub

I updated my crowd-sourced list of #openpgp, #fido, #u2f and #piv, #pki security tokens:

l.0l.de/tokens

Feel free to have a look if you are in the market for a new security token Contributions and feedback are highly welcome :)

Crypto, FIDO and Security Tokens

Tokens Crypto, FIDO and Security Tokens,How to contribute Please use the Google Sheets comments to discuss or propose changes. Scope:,USB-connected, TFA, PKI, OTP, PIV tokens,Send updates, access requests or inquires to

^{Google Docs}

Can anymany tell me how I'm "supposed" to use end-to-end encryption with XMPP?

As far as I can tell there are three totally different ways to do E2EE:

a)OTR : "[xmpp.org/extensions/xep-0364.h…](Not intended to be a current standard), or technical specification, as better (albeit, newer and less well tested) methods of end-to-end encryption exist for XMPP. "

b)OpenPGP: There are at least two different XEPs about it. XEP-0027 is obsolete, while XEP-0373 is "experimental" but hasn't been updated in almost three years.

c)OMEMO: "Experimental" and hasn't been updated in over two years.

Is there a way to do E2EE in XMPP which is neither deprecated nor experimental? What's the "Current stable" way to do it?

#XMPP #E2EE #EndToEndEncryption #OMEMO #OpenPGP #OTR

In the past few weeks, I spent a bit of time on a set of #OpenPGP hobby projects around #rpgp (github.com/rpgp/rpgp/). Today I'm happy to announce:

rsop v0.1.0 (crates.io/crates/rsop), an early stage "stateless OpenPGP" tool based on rpgp.

Relatedly, I also released rpgpie 🦀️🔐🥧 v0.0.1 (crates.io/crates/rpgpie), an experimental high level OpenPGP API based on rpgp (rsop is built on top of rpgpie).

#PGP #Rust #rustlang

GitHub - rpgp/rpgp: Pure rust implementation of OpenPGP

Pure rust implementation of OpenPGP. Contribute to rpgp/rpgp development by creating an account on GitHub.

^GitHub

News from the machine room: the pure #rust end-to-end encryption engine, "rpgp", saw quite some work and a new release in recent weeks and now @hko released a higher level "rpgpie" interface for application developers ( see fosstodon.org/@hko/11199799800… ) which also powers running the IETF #OpenPGP #interoperability test suite quite successfully .... Delta Chat's security-audited encryption engine is in fact used from several other projects and in other contexts these days and we are happy about it!

Heiko

2024-02-26 13:23:46

In the past few weeks, I spent a bit of time on a set of #OpenPGP hobby projects around #rpgp (github.com/rpgp/rpgp/). Today I'm happy to announce:

rsop v0.1.0 (crates.io/crates/rsop), an early stage "stateless OpenPGP" tool based on rpgp.

Relatedly, I also released rpgpie 🦀️🔐🥧 v0.0.1 (crates.io/crates/rpgpie), an experimental high level OpenPGP API based on rpgp (rsop is built on top of rpgpie).

#PGP #Rust #rustlang

GitHub - rpgp/rpgp: Pure rust implementation of OpenPGP

Pure rust implementation of OpenPGP. Contribute to rpgp/rpgp development by creating an account on GitHub.

^GitHub

Thunderbird is an email client with built-in support for PGP encryption.

Messages are encrypted/decrypted in the client and remain encrypted on email servers, this is client-side encryption.

Some email providers support PGP encryption server-side, this method could be vulnerable to third-party decryption of emails.

PGP: en.wikipedia.org/wiki/Pretty_G…
Client side encryption: en.wikipedia.org/wiki/Client-s…

Website: thunderbird.net
Mastodon: @thunderbird

#Thunderbird #Email #Encryption #OpenPGP #PGP

I gave a talk at #fosdem #fosdem2024.

Video and slides are now available:
fosdem.org/2024/schedule/event…

#thunderbird #security #openpgp #librepgp #smime

I'm interested in your feedback on these thoughts. Either here, or, if your feedback is longer, for a discussion it might be best to post to
thunderbird.topicbox.com/group…

Thanks a lot to the organizers of @fosdem and the modern email developer room.
github.com/modern-email/FOSDEM…

GitHub - modern-email/FOSDEM-24

Contribute to modern-email/FOSDEM-24 development by creating an account on GitHub.

^GitHub

Having decidedly too much fun playing with ancient #PGP artifacts.

Note the two version 2 public keys from 1992. They were created just over a year after Phil Zimmermann first released PGP (on 6 June 1991), deep in the crypto war era.

These keys predate the #OpenPGP name by around half a decade.

At over 31 years old, nation-state actors can definitely factor John Gilmore's RSA 1024 key today.
However, I believe the cost still exceeds a hobbyist budget even now.

We have just issued the first #release of #sshd-openpgp-auth and #ssh-openpgp-auth.

Using this server and client-side tooling it is possible to manage the #authentication of #SSH host keys with the help of an #OpenPGP certificate as trust anchor.

crates.io/crates/sshd-openpgp-…

crates.io/crates/ssh-openpgp-a…

Many thanks to @wiktor for the great collaboration and #NLnet / #NGIAssure for funding this work!

#DNS #KeyOxide #KnownHosts #OpenSSH #Rustlang #Software #WebKeyDirectory #WebOfTrust #WKD #WoT

(New blog) The State of the Keyservers in 2024

“In the two and a half years since the sks-keyservers.net shutdown in June 2021, the concept of #OpenPGP #keyservers has been called into question. However, keyservers still provide a vital service to the OpenPGP ecosystem.
…
OpenPGP is one of only two widely-used cryptography standards to include a full Public Key Infrastructure”

blog.pgpkeys.eu/state-keyserve…

Better to take some more time to prepare a proper release – looking forward to it and kudos for keeping Thunderbird on @fdroidorg.

Still, any news about future encryption options, especially via #OpenPGP? Pretty much all #Android email clients rely on #Openkeychain to manage all your keys. Sadly it is still unmaintained and desperately needs a replacement or someone to take over development. Look at issues like this: github.com/open-keychain/open-…
#Thunderbird for Android will also rely on this unmaintained app.

Vulnerability in OpenKeychain · Issue #2856 · open-keychain/open-keychain

Hello, Researchers discovered a vulnerability in OpenKeychain. The technical report was sent by email (security@openkeychain.org), no response. Please contact us.

^GitHub

LibreOffice supports symmetric and asymmetric encryption for OpenDocument Format (ODF) files.

Select File > Save/Save As

The "Save with password" option encrypts the file with AES-256.
The "Encrypt with GPG key" option encrypts the file with a public key.

Symmetric encryption: en.wikipedia.org/wiki/Symmetri…
Asymmetric encryption: en.wikipedia.org/wiki/Public-k…

Website: libreoffice.org
Mastodon: @libreoffice

#LibreOffice #Encryption #OpenSource #OpenPGP #PGP #GnuPG #GPG #InfoSec #Privacy #Security

PGPainless 1.0.0 Released!

Close to the end of 2021 I’m excited to announce the release of PGPainless version 1.0.0! I feel like it finally reached a state of sufficient maturity to be worthy of a major release with a “1” at the front.

blog.jabberhead.tk/2021/12/30/…

#audit #encryption #java #openpgp #pgpainless

PGPainless 1.0.0 Released!

Close to the end of 2021 I'm excited to announce the release of PGPainless version 1.0.0! I feel like it finally reached a state of sufficient maturity to be worthy of a major release with a "1" at the front.

^{vanitasvitae (jabberhead.tk)}

📣 The first of the bigger announcements 🎉

We're launching ariadne.id, an experimental living document that contains all the knowledge that powers #keyoxide!

This should make it easier to make independent libraries, implementations, apps and websites 😎

Aaaand: *proof@ariadne.id=* 🤩

Let's claim back sovereignty over our online identity!

Blog post: blog.keyoxide.org/ariadne-spec…

#openpgp #ariadnespec