Today we’re happy to announce the first release of the OpenPGP CA 0.10.x series. The code for OpenPGP CA 0.10.1 is tagged on gitlab.

crates.io

Starting with this release, we’re publishing to crates.io. So from now on, you can conveniently cargo install openpgp-ca.

Right now, we’re publishing two crates:

• The openpgp-ca CLI tool: crates.io/crates/openpgp-ca
• The underlying library that implements the functionality of OpenPGP CA (the CLI tool is a slim wrapper around this library): crates.io/crates/openpgp-ca-lib

Note: for the time being, there is no release of the OpenPGP CA REST daemon on crates.io, since it depends on rocket 0.5, which is not yet released.

While we’re talking crates, there’s also the related crates.io/crates/openpgp-keylist/, which is used by openpgp-ca for exporting to Keylist format.

Behind the scenes

After some refactoring of the codebase, the 0.10.x series paves the way for OpenPGP CA instances with different cryptographic backends and/or different data storage models.

One concrete plan is to implement support for OpenPGP CA instances based around OpenPGP card hardware tokens, such as Gnuk or YubiKey. With such OpenPGP CA instances, no private key material will be stored in the CA database. All operations that require CA private key material will be performed on the hardware token.

We’ve also discussed read-only instances that don’t contain CA private key material, for example as part of an air-gapped setup, and are considering implementing support for that use case.