BSI withdraws approval of GnuPG (revisited after 3 month)

karel-v_g at karel-v_g at
Mon Nov 4 08:58:19 CET 2019

In May 2019 the German Federal Office for Information security (Bundesamt für Sicherheit in der Informationstechnik, BSI [1]) approved GnuPG for securing data of the lowest security classification (VS Nur für den Dienstgebrauch, comparable to NATO Restricted). [2]
This approval was withdrawn for an unknown reason somewhen before July 21st 2019. Heise-Online reported this on August 6th 2019. According to them the BSI said it hopes to reissue the approval soon, but further inquiries remained unanswered. [3]
In a message to this list on August 8th Werner Koch said he is permanent contact with BSI and the reason for the withdrawal is in the OpenPGP part of GnuPG. Once again no further details were provided. [4]
Since then there is silence on the topic for the past three month.
As 90 days is the period we all know from Googles notorious Project Zero I would like to come back on the problem now.
Are there any news?
Should we consider our data protected by GnuPG insecure as german authorities obviously do?
Can or must we take any steps to eliminate or at least mitigate the problem in the current modern (2.2.17) and classic 1.4.23) versions of GnuPG (e.g. avoid compatibility options like —openpgp)?
Is it a problem only with GnuPG or with OpenPGP in general? Are other implementations affected as well?
When can we expect further information?

[3] (06.08)
[4] (09.08.)

More information about the Gnupg-users mailing list