# NeoPG ## A replacement for GnuPG <small> _Marcus Brinkmann · 34c3 · Leipzig (2017)_ </small> --- ## GnuPG 490,000 lines of C code over 20 years * ~400 command line options * <strike>one</strike> two OpenPGP parser * HTTP client, DNS resolver * Next: TLS library --- ## OpenPGP RFC2440 (1998), RFC4880 (2007) * Harmful: Allows MD5, IDEA, photo ids, etc. * Mandatory: DSA, ElGamal, 3DES * Not supported: EdDSA, AEAD * SHA-1 fingerprints * Signatures use short key ID (64 bit) <div class="ui divider"></div> <blockquote style="margin: 0; width: 100%;"> "[...] there is not sufficient interest to successfully complete the work of the [OpenPGP] working group." – IESG Secretary, 11 Nov 2017 </blockquote> </div> --- ## NeoPG Opionated fork of GnuPG 2 * __1st__ refactor and strip down legacy code * __2nd__ replace it with a library and new CLI * __3rd__ implement new features Status: 250,000 LoC legacy + 2,100 LoC new <span style="color: orange">-240,000 LoC, -120 command line options</span><br/> in 3 months! --- ## New command line interface * Git-style subcommands<br/> `neopg armor --help` * Compatibility interface<br/> `neopg gpg2 ...` * Color output! * Better error messages --- ## Packaging * One repository * Easy to build with cmake * Platforms: Linux/BSD, MacOS * Planned: Windows, Android, iOS --- ## `libneopg` * easy high level interface * full low level interface * control over policy:<br/> · _key management_<br/> · _trust models_<br/> · _data processing (passwords)_ --- ## Delegate * C++11 (GCC, Clang, MSVC) * STL and Boost * Curl, SQLite * Botan (crypto) --- ## Focus on Code Quality * Continuous Integration * Static code analysis * Fuzzing * Linting, Source Code Formatting (clang-format) --- ## Beyond the web of trust * Decentralised (Autocrypt, PEP) * Centralised (keybase.io, Mailvelope Key Server) * Other (Google End-to-End) Example keybase.io:<br/> `$ neopg tweet @lambdafu "Any plans?"` --- ## Beyond OpenPGP * Write minimal OpenPGP profile * Extend OpenPGP (e.g. PQ crypto) * Use OpenPGP trust anchors for other protocols (e.g. Signal) --- ## <i class="ui icon globe orange"></i>neopg.io ## <i class="ui icon twitter orange"></i>@neopg_