Centrally managed or decentrally distributed?

There are three protection goals in information security: The confidentiality, integrity, and availability of systems. A system is confidential if you can trust that your information will reach exactly the intended recipient. In practice, authentication and encryption ensure confidentiality together. Integrity is achieved through digital signatures, which can verify that a sender is who they claim to be. System availability, on the other hand, is more abstract and depends on the design of the entire system.

Sequoia PGP is based on the OpenPGP standard, which features a decentralized design. This means that multiple applications can be built on the OpenPGP standard and users do not have to use the same provider to exchange messages or files. This makes the system as a whole fail-safe and thus increases availability, as the system only fails completely if all providers fail at the same time. Since OpenPGP is a standard, there can also be different implementations of it. And there are quite a few. The more there are, the less likely it is that a security vulnerability or failure will affect all implementations at the same time.

These characteristics - a decentralized design and interoperability - can therefore lead to a more robust system and thus ensure higher availability than a closed, centralized system. However, this advantage comes with a frequently mentioned disadvantage: it takes more time to update the protocol and disable old functionality. However, we believe that this disadvantage is not as bad as it seems at first glance.

In recent weeks, many internet users have been reminded three times what it means when availability is restricted. An error in one of Amazon's data centers meant that services using Amazon's cloud were unavailable. Since around 30% of cloud applications use Amazon's data centers, that's a lot. Next, Microsoft's Azure cloud had problems, with similar consequences. Most recently, Cloudflare was unavailable. Cloudflare is a service that almost half of all websites use to ensure their availability. The problems ranged from inaccessible banks and overheated beds to unplayable games and chat apps such as the end-to-end encrypted messenger Signal, which was unable to deliver messages.

The problem wasn't just that Amazon, Microsoft, and Cloudflare had issues. The applications are all centralized, meaning they don't work without their service provider. As far as I know, nothing bad happened this time. But you can imagine that it's only a matter of time before an attacker exploits this vulnerability to cause even bigger problems.

The second problem is interoperability. Let's take the aforementioned instant messenger Signal as an example, as it pursues similar goals to Sequoia. Although Signal is free software whose source code can be modified by anyone with the relevant skills, the Signal network itself is closed. This means that Signal users can only communicate with other users who use the same Signal network. One advantage of this architecture is that the operator can continue to develop the service without a great deal of coordination. However, one disadvantage is that the operator represents a weak point: if they are compromised or fail, the entire network is affected.

The government of the country where Signal is based - the US government - can try to force Signal to weaken its network, for example by installing a backdoor. This is not a fantasy: the US government has already done something like this. In 2013, it tried to install a backdoor in Lavabit in order to access Edward Snowden's emails. And a few months ago, Microsoft, acting on orders from the US government, blocked the Microsoft account of the chief prosecutor of the International Criminal Court. He had issued arrest warrants for Israeli Prime Minister Benjamin Netanyahu and others. This prevented the chief prosecutor from accessing his emails and hindered his work.

Even in a decentralized network, an operator can install a backdoor or block an account. In such cases, however, users have the option of switching to another provider without losing most of their contacts.

The OpenPGP standard is even network-independent: this means that you can send an OpenPGP message encrypted via WhatsApp, Facebook, or even amateur radio. However, most people do not do this because OpenPGP is not or poorly integrated and is therefore cumbersome to use. End users mainly use OpenPGP via a few email clients, especially in the free and open source sector, that support OpenPGP. However, there are also plug-ins for many Jabber clients. Unfortunately, these are still not as smooth to use as Signal.

Both email and Jabber are decentralized services. This means that if one provider is unavailable, the other providers can still be used. If a provider is unavailable for an extended period of time, users can switch to another provider without losing their contacts. The providers can also be located in different jurisdictions. This can create digital sovereignty. Services such as Signal, on the other hand, are not designed to be as robust.

The disadvantages of a decentralized design arise directly from its structure: because there is no central authority, no central authority can make decisions. Instead, all stakeholders must reach a consensus. As a result, changes often take a long time. However, these are the costs of democracy compared to dictatorship.

We have been working on Sequoia PGP for eight years. During this time, we have achieved a great deal, especially in the area of infrastructure. The proof of this is the large number of projects that have chosen Sequoia. For example, the software package management systems RPM and APT use Sequoia to verify the integrity of software updates, the whistleblower platform SecureDrop uses Sequoia to encrypt messages from sources, and the Swiss government uses Sequoia to protect patient data. In the coming years, we hope to reach more end-user applications. After all, the most secure system that no one uses is of no use to anyone.

aOne hurdle here is that implementing cryptography correctly is complex. Errors in cryptographic implementations are difficult to detect and often fatal. Sequoia PGP takes care of this important foundation, allowing developers to continue developing their core components for their users without having to constantly worry about cryptography. Our current goal is to develop an easy-to-use API for Sequoia that requires no special cryptographic knowledge and only minimal OpenPGP knowledge. We are confident that a simple but secure API will encourage more developers to integrate OpenPGP into their applications and end users will benefit from improved data protection.