Last month, developers from numerous OpenPGP-related projects came together at Proton’s headquarters in Geneva to work together and discuss the future of encrypted email using the OpenPGP standard. Proton had offered to host the sixth installment of the (normally) annual summit after the previous meeting in Berlin in 2019. However, that meeting was postponed due to the pandemic. Now, with lockdowns across Europe ending, we could finally come together again.
In attendance were developers from projects such as Thunderbird(new window), Enigmail(new window), and Proton Mail(new window), OpenPGP implementations such as Sequoia-PGP(new window), PGPainless(new window), OpenPGP.js(new window), and GopenPGP(new window), and the German Federal Office for Information Security (BSI)(new window). The topics under discussion ranged from how to add post-quantum cryptography to OpenPGP to improving the usability of encrypted email.
The timing was fortuitous as the OpenPGP standard (RFC 4880) is currently in the last stages of receiving a “crypto refresh”, which modernizes the cryptographic primitives used in the standard, by adding more secure signing and encryption algorithms. The result of this will be published as a new RFC in the coming future. Discussions thus also turned to potential future topics for standardization after that work is done in a possible “re-chartering” of the OpenPGP Working Group.
Potential ideas there included automatic forwarding of incoming emails when the recipient is “out of office” in a secure manner (without needing to share the private key) as well as improving the security and performance of email archival by symmetrically re-encrypting emails for storage. Header protection (e.g., encrypting subjects) and forward secrecy were also discussed, among other topics.
Improving the OpenPGP standard and standardizing these new features are important to ensure continued interoperability between different email providers, even when the emails are encrypted. This is especially relevant in the current discussion surrounding interoperability versus end-to-end encryption: it is possible to achieve both, as the OpenPGP community demonstrates, though doing so requires some dedicated effort. Meetings such as the OpenPGP Email Summit help to facilitate open discussions between stakeholders.
A better internet requires strong, open-source encryption
Proton is a strong advocate for open standards and open-source software. Opening proposals up to peer review improves the quality and security, and meshes well with our background as physicists and scientists. That is also why we have made all Proton apps open source(new window) and have subjected them to numerous third-party audits(new window).
We also maintain the OpenPGP.js(new window) and GopenPGP(new window) open-source encryption libraries. We feel that maintaining these encryption libraries is a critical part of our work to create a better internet where privacy is the default. If strong encryption is interoperable, easy to use, and freely available, it is easier for developers to create more private-by-default apps, which benefits everyone.
All in all, the summit was very useful and productive. It allowed us to make meaningful progress on the previously mentioned topics. Additionally, concrete commitments were made by us and others to work on encrypted email in the interim.
We thank everyone who came to the summit and hope to see everyone again (and others for the first time) at the next one!