Secure emails and secure signatures in the browser


OpenPGP is an encryption and signing protocol that is most widely used to enable encrypted end-to-end communication via e-mail and the signing and verification of software packages. This makes it a critical protocol for many basic internet applications, such as secure communication and software supply chains. Supporting and promoting interoperable implementations can make the protocol - and the ecosystem - more resilient by encouraging broad adoption and eliminating bugs.

The mandate is to support the entire ecosystem by further developing and improving multiple implementations, in this case the JavaScript implementation “OpenPGP.js” as well as the Go implementation “GopenPGP.”

OpenPGP.js is a lightweight JavaScript implementation of openPGP that runs in the browser. This enables the development of PGP-enabled browser extensions and web applications. This in turn leads to innovation in PGP applications and expands the potential user base by eliminating the need to install separate software.

GopenPGP is an OpenPGP library that makes it easy for projects to use a highly secure, well-tested and modern implementation of OpenPGP. GopenPGP is used by millions of users for E2EE mail, and its underlying cryptography library go-crypto is also the basis for the Hockeypuck keyserver software, which allows users to search and exchange millions of OpenPGP public keys.

Why is this important?

The chosen OpenPGP implementations enable a variety of use cases. Encryption allows the sender to ensure that no one but the recipient can access confidential information. Signing allows the recipient to verify that the communication originates from the sender and has not been tampered with. By verifying public keys, both parties can ensure that they are communicating with the person they intend to communicate with. Secure end-to-end communication is important for journalists, government agencies, businesses, and any institution or individual that uses email and has a need for private, confidential, or signed communication.

Just as with email, OpenPGP can also be used to sign and encrypt software packages. While encrypting open-source software is of limited use because it is usually not confidential, signing and verifying signatures is often used to assure developers and consumers that the software has not been tampered with. Signing also enables open-source projects to verify that a software contribution comes from a legitimate contributor, helping protect against actors who may want to tamper with the software by assuming the identity of a trusted contributor.

What are we funding?

The OpenPGP standard is currently undergoing a transformation, the so-called “Crypto Refresh.” For both GopenPGP and OpenPGP.js, improvements will be implemented to increase security and usability. End users will benefit directly.

Back to projects