[flanfly]

Nettle implements most of the crypto needed for OpenPGP, it's small size and few dependencies makes it easy to wrap for Rust. I did review some, but not all of Nettle and it looks pretty solid[1]. GnuTLS uses Nettle, so you can expect there are people smarter than me trying to break it. Initially, I wanted to use Botan, but the fact that it's in C++ means you need to write two wrappers one from C++ to C and one from C to Rust.

1: I checked for proper RSA base blinding, a secure CPRNG, lack of Bleichenbacher Oracles and lack of invalid curve attack vectors. It uses GMP for bignum stuff so carry propagation bugs are unlikely. There are some things that aren't super nice. The CPRNG does not reseed on forks, the included AES doesn't look particularity time constant and the library doesn't use mlock() nor zeros secrets after use.

[randombit]

Alas, I just started working on a Rust wrapper for Botan https://crates.io/crates/botan

The existing Botan C API is in fact sufficient for OpenPGP already, https://github.com/riboseinc/rnp is in C++ now but was originally C and uses Botan's C API.

But Nettle is IMO quite solid and the developer is very skilled, so full steam ahead.

Is there any relation between Sequoia and the BoringPGP spec?

[flanfly]

Yes, I'm a co-author of BoringPGP[1]. Sequoia itself will probably support it as soon as Marcus and I get around finishing the spec but it's not part of Sequoia and I only work on it in my free time.

1: https://github.com/boring-pgp/spec