Justus is co-founder and senior developer of Sequoia-PGP, a clean-sheet implementation of the OpenPGP protocol in the memory-safe programming language Rust. Besides working on the core library, he is part of the IETF OpenPGP working group's design team revising the spec, maintains a comprehensive OpenPGP interoperability test suite, has created and maintains an alternative OpenPGP backend for Thunderbird, and improves the OpenPGP ecosystem by listening to downstream users' requirements and helping them to integrate OpenPGP into their solutions.
Previously, Justus spent two years working on GnuPG, improving its test suite, GPGME's Python bindings, and doing general maintenance on the code base. This was a transformative time: he learned about the difficulties of interfacing with GnuPG, advantages and disadvantages of GnuPG's architecture, and the challenges of creating and caring for an integral part of the Free Software ecosystem.
During his time at the university, Justus was interested in computer security and formal proof techniques, writing his Diploma thesis about model checking. He also became interested in object capability systems, working on GNU Hurd and Debian/Hurd in the final years of studying. Working on the Hurd was also how he learned how to contribute back to the Free Software community and how to care for large, old, and organically grown code bases written in C.
Justus has been using Debian on his computers (with a few detours), starting with Potato. It has been a great ride!
To compensate for his desk job, Justus juggles. Mostly clubs, but he has been trying to learn new Diabolo tricks recently, and he enjoys all sorts of equilibristic activities.
In this talk I will introduce the Sequoia-PGP project, its social and technical goals, what we have accomplished so far and what we hope to accomplish in the future. I will also highlight important projects in the broader ecosystem, notably OpenPGP-CA, the OpenPGP Interoperability Test Suite, Hagrid, the Octopus, and the Chameleon.
I will briefly highlight the most important changes that the upcoming revision of the OpenPGP protocol will bring for developers and users.
Finally, I want to talk about one of the core strengths of the OpenPGP protocol: authentication. I will highlight how OpenPGP-CA makes a once cumbersome process transparent to the end users, by leveraging existing organizational trust boundaries, and how Debian and the broader Free Software ecosystem can use this to build a secure and ergonomic authentication mechanism from the bottom up. To conclude, I want to discuss how this enables us to protect the software supply chain from the version control systems to source and binary packages.