OpenPGP CA uses established features of the OpenPGP standard

The mechanisms that OpenPGP CA relies on are standardized in RFC 4880.

In particular, our approach relies on certifications of User IDs and on “Trust Signature” packets.

For some scenarios, it is necessary to use scoped trust signatures (that is, to limit the delegation of trust to only User IDs under a particular domain name). To do this, we use “Regular Expression” packets

Making the power of these OpenPGP features accessible for users

The current version of the OpenPGP standard (RFC 4880) is from 2007, so all of these concepts and features have been available in OpenPGP for at least 14 years.

Still, adoption of these powerful building blocks has been limited. We believe that one reason for this has been a lack of good tooling.

OpenPGP CA offers massive improvements for one aspect of this task: We simplify the task of keeping track of the OpenPGP keys in your organization - and of certifying them with your organization’s CA.

This means that the “Web of Trust” is seeded with more certifications that are generated by organizations.

On the other side of this equation is the software that end users employ to interpret and reason about these certifications.

On this page, we list information about which user-facing software supports the relevant aspects of the OpenPGP standard to make use of OpenPGP CA instances.

Client-side software support for OpenPGP CA

To take advantage of the certifications provided by a CA, these certifications need to be understood by the user’s software - and properly interpreted and visualized to the user.

There are various contexts in which users can benefit from the authentication of OpenPGP keys, including of course email. Other areas include remote logins via secure shell, or tasks such as code- or package signing.

Software that supports OpenPGP CA

• GnuPG (2.0 and 2.2): This is the most widely used implementation of the OpenPGP standard. It supports all of the features that OpenPGP CA is based on.

• Thunderbird/Enigmail: Is based on GnuPG and thus supports the features OpenPGP CA relies on.

• A lot of other software is also built on top of GnuPG. Such software will typically support authentication via an OpenPGP CA instance out of the box. This includes KMail, Evolution, mutt, emacs-based mail software such as Wanderlust, …

Software that lacks required functionality

• Thunderbird78+: a new OpenPGP backend is currently being developed as the successor of enigmail. For now, this implementation lacks support for OpenPGP certifications altogether.
• OpenKeychain does not currently support “trust signatures”

Limitations of earlier versions

• GnuPG on Windows, prior to version 2.2.23, didn’t properly handle Regular Expression packets and because of this could not handle scoped trust (that is: limiting trust signatures to only apply to User IDs under a particular domain).