Status

This documents the current status of Sequoia as of 2021-10-05 . Note: At this point, there are already several users of our software, so there is a bit of experience with it in the wild. Sequoia has not been audited yet, but as soon as we release the core Sequoia crate, it will be audited by a third party.

Please also see the OpenPGP Interoperability Test Suite for an automated assessment of Sequoia’s and other implementations' capabilities and how compatible they are.

OpenPGP

RFC4880bis-06 RFC4880 Content Status Notes
2 2 General functions
2.1 2.1 Confidentiality via Encryption
2.2 2.2 Authentication via Digital Signature
2.3 2.3 Compression See below for supported algorithms.
2.4 2.4 Conversion to Radix-64
2.5 2.5 Signature-Only Applications
3.2 3.2 Multiprecision Integers
3.3 3.3 Key IDs
3.6 3.6 Keyrings
3.7.1 3.7.1 String-to-Key (S2K) Specifier Types
3.7.2 3.7.2 String-to-Key Usage
4.2.1 4.2.1 Old Format Packet Lengths
4.2.2 4.2.2 New Format Packet Lengths
4.3 4.3 Packet Tags
5.1 5.1 Public-Key Encrypted Session Key Packets (Tag 1)
5.2.1 5.2.1 Signature Types
5.2.2 5.2.2 Version 3 Signature Packet Format
5.2.3 5.2.3 Version 4 Signature Packet Format
5.2.3 Version 5 Signature Packet Format
5.2.3.1 5.2.3.1 Signature Subpacket Specification
5.2.3.4 5.2.3.4 Signature Creation Time
5.2.3.5 5.2.3.5 Issuer
5.2.3.6 5.2.3.6 Key Expiration Time
5.2.3.7 5.2.3.7 Preferred Symmetric Algorithms
5.2.3.8 Preferred AEAD Algorithms
5.2.3.9 5.2.3.8 Preferred Hash Algorithms
5.2.3.10 5.2.3.9 Preferred Compression Algorithms
5.2.3.11 5.2.3.10 Signature Expiration Time
5.2.3.12 5.2.3.11 Exportable Certification
5.2.3.13 5.2.3.12 Revocable
5.2.3.14 5.2.3.13 Trust Signature
5.2.3.15 5.2.3.14 Regular Expression
5.2.3.16 5.2.3.15 Revocation Key
5.2.3.17 5.2.3.16 Notation Data
5.2.3.17.1 The ‘charset’ Notation
5.2.3.17.2 The ‘manu’ Notation
5.2.3.17.3 The ‘make’ Notation
5.2.3.17.4 The ‘model’ Notation
5.2.3.17.5 The ‘prodid’ Notation
5.2.3.17.6 The ‘pvers’ Notation
5.2.3.17.7 The ‘lot’ Notation
5.2.3.17.8 The ‘qty’ Notation
5.2.3.17.9 The ‘loc’ and ‘dest’ Notations
5.2.3.17.10 The ‘hash’ Notation
5.2.3.18 5.2.3.17 Key Server Preferences
5.2.3.19 5.2.3.18 Preferred Key Server
5.2.3.20 5.2.3.19 Primary User ID
5.2.3.21 5.2.3.20 Policy URI
5.2.3.22 5.2.3.21 Key Flags
5.2.3.23 5.2.3.22 Signer’s User ID
5.2.3.24 5.2.3.23 Reason for Revocation
5.2.3.25 5.2.3.24 Features
5.2.3.26 5.2.3.25 Signature Target
5.2.3.27 5.2.3.26 Embedded Signature
5.2.3.28 Issuer Fingerprint
Intended Recipient Proposed.
5.2.4 5.2.4 Computing Signatures
5.3 5.3 Symmetric-Key Encrypted Session Key Packets (Tag 3) V4
5.3 Symmetric-Key Encrypted Session Key Packets (Tag 3) V5
5.4 5.4 One-Pass Signature Packets (Tag 4)
5.5.2 5.5.2 Public-Key Packet Format V2 Obsolete.
5.5.2 5.5.2 Public-Key Packet Format V3 Obsolete.
5.5.2 5.5.2 Public-Key Packet Format V4
5.5.2 Public-Key Packet Format V5
5.5.3 5.5.3 Secret-Key Packet Format V2 Obsolete.
5.5.3 5.5.3 Secret-Key Packet Format V3 Obsolete.
5.5.3 5.5.3 Secret-Key Packet Format V4
5.5.3 Secret-Key Packet Format V5
5.6.1 Algorithm-Specific Part for RSA Keys
5.6.2 Algorithm-Specific Part for DSA Keys
5.6.3 Algorithm-Specific Part for Elgamal Keys
5.6.4 Algorithm-Specific Part for ECDSA Keys
5.6.5 Algorithm-Specific Part for EdDSA Keys
5.6.6 Algorithm-Specific Part for ECDH Keys
5.7 5.6 Compressed Data Packet (Tag 8)
5.8 5.7 Symmetrically Encrypted Data Packet (Tag 9) Insecure.
5.9 5.8 Marker Packet (Obsolete Literal Packet) (Tag 10)
5.10 5.9 Literal Data Packet (Tag 11)
5.11 5.10 Trust Packet (Tag 12) Implementation defined.
5.12 5.11 User ID Packet (Tag 13)
5.13 5.12 User Attribute Packet (Tag 17)
5.13.1 5.12.1 The Image Attribute Subpacket
5.13.2 User ID Attribute Subpacket
5.14 5.13 Sym. Encrypted Integrity Protected Data Packet (Tag 18)
5.15 5.14 Modification Detection Code Packet (Tag 19)
5.16 AEAD Encrypted Data Packet (Tag 20)
5.16.1 EAX Mode
5.16.2 OCB Mode
6.2 6.2 Forming ASCII Armor
7 7 Cleartext Signature Framework
8 8 Regular Expressions
9.1 9.1 Public-Key Algorithms See below for supported algorithms.
9.2 ECC Curve OID See below for supported algorithms.
9.3 9.2 Symmetric-Key Algorithms See below for supported algorithms.
9.4 9.3 Compression Algorithms See below for supported algorithms.
9.5 9.4 Hash Algorithms See below for supported algorithms.
9.6 AEAD Algorithms See below for supported algorithms.
11 11 Packet Composition
11.1 11.1 Transferable Public Keys We use a formal grammar.
11.2 11.2 Transferable Secret Keys We use a formal grammar.
11.3 11.3 OpenPGP Messages We use a formal grammar.
11.4 11.4 Detached Signatures
12.1 12.1 Key Structures V3 Obsolete.
12.1 12.1 Key Structures V4
12.2 12.2 Key IDs and Fingerprints V3 Obsolete.
12.2 12.2 Key IDs and Fingerprints V4
12.2 Key IDs and Fingerprints V5
13 Elliptic Curve Cryptography
13.1 Supported ECC Curves See below for supported algorithms.
13.2 ECDSA and ECDH Conversion Primitives
13.3 EdDSA Point Format
13.4 Key Derivation Function
13.5 EC DH Algorithm (ECDH)

Algorithms

We gracefully handle unknown algorithms during parsing and serialization even if we do not support them. This is important for roundtripping OpenPGP packets.

What algorithms are supported by Sequoia depends on the cryptographic backend selected at compile time. Currently, the following backends are available:

Public-Key Algorithms

ID Algorithm Nettle CNG RustCrypto Notes
1 RSA (Encrypt or Sign)
2 RSA Encrypt-Only
3 RSA Sign-Only
16 Elgamal (Encrypt-Only)
17 DSA (Digital Signature Algorithm)
18 ECDH public key algorithm See below for the supported curves.
19 ECDSA public key algorithm See below for the supported curves.
20 Reserved (formerly Elgamal Encrypt or Sign) Insecure.
21 Reserved for Diffie-Hellman (X9.42, as defined for IETF-S/MIME)
22 EdDSA See below for the supported curves.
23 Reserved for AEDH
24 Reserved for AEDSA

ECDH

Curve name Nettle CNG RustCrypto Notes
NIST P-256
NIST P-384
NIST P-521
brainpoolP256r1
brainpoolP512r1
Curve25519

ECDSA

Curve name Nettle CNG RustCrypto Notes
NIST P-256
NIST P-384
NIST P-521
brainpoolP256r1
brainpoolP512r1

EdDSA

Curve name Nettle CNG RustCrypto Notes
Ed25519 Implemented via ed25519-dalek when the CNG backend is selected.

Symmetric-Key Algorithms

ID Algorithm Nettle CNG RustCrypto Notes
1 IDEA
2 TripleDES (DES-EDE)
3 CAST5 (128 bit key)
4 Blowfish (128 bit key, 16 rounds)
7 AES with 128-bit key
8 AES with 192-bit key
9 AES with 256-bit key
10 Twofish with 256-bit key
11 Camellia with 128-bit key
12 Camellia with 192-bit key
13 Camellia with 256-bit key

Hash Algorithms

ID Algorithm Nettle CNG RustCrypto Notes
1 MD5 See below.
2 SHA1 Replaced by SHA1CD. See below.
3 RIPEMD160 See below.
8 SHA2-256
9 SHA2-384
10 SHA2-512
11 SHA2-224

Weak algorithms are disallowed by default for contemporary messages by the StandardPolicy. Furthermore, Sequoia uses a modified version of SHA1 that mitigates known (and likely unknown attacks) on SHA1 called SHA1CD.

Compression Algorithms

Support for compression algorithms is independent of the selected cryptographic backend.

ID Algorithm Status Notes
0 Uncompressed
1 ZIP
2 ZLIB
3 BZip2

Related Functionality

Streaming Operation

Safe processing of OpenPGP data requires streaming operation, which we support on all levels.

Public Key Store

Basic prototype exists. Supports refreshing keys in the background.

Key Server

Aspect Status Notes
HKP(S) get
HKP(S) send

Web Key Directory

Aspect Status Notes
Querying (direct)
Querying (advanced)
Creating (direct)
Creating (advanced)

Autocrypt

Aspect Status Notes
header parsing
keygen V1
keygen V1.1
peer state
header inject
recommend
encrypt
setup message
setup process
gossip Parsing is supported.
uid decorative

Interfaces

Crate API Status Notes
sequoia-openpgp Rust Production ready Low-level interface.
sequoia-openpgp-ffi C Incomplete Low-level interface.
sequoia-net Rust HKP(S) support, WKD
sequoia-store Rust Incomplete
sequoia-ffi C Incomplete High-level interface.
python-sequoia Python Early prototype High-level interface.
sqv command line Feature complete Verifies detached signatures, a gpgv replacement.
sqop command line Mostly feature complete Implements most of SOP-draft-02.
sq command line Incomplete Generic tool for interactive use.