BSI withdraws approval of GnuPG (revisited after 3 month)

Werner Koch wk at
Mon Nov 4 17:38:47 CET 2019

On Mon,  4 Nov 2019 08:58, karel-v_g--- said:

> In a message to this list on August 8th Werner Koch said he is
> permanent contact with BSI and the reason for the withdrawal is in the
> OpenPGP part of GnuPG. Once again no further details were
> provided. [4]

We received a new approval BSI-VS-10400 dated Sep 9.  We have not yet
announced this widely except for a short notice at  The
reason for this that we are still waiting for the promised
"Freigabeempfehlung" for the OpenPGP part.  That is a kind of approval
which allows to use OpenPGP without a smartcard.  Without such a
Freigabeempfehlung the public might have get the false idea that
the OpenPGP part is not secure.  But now, that you asked I better
explain what I know.

There seem to be different opinions at the BSI on whether a smartcard
should be mandatory for use with VS-NfD.  The whole thing is not a
technical issue but a pure political/organizational thing.  In fact the
current software used for VS-NfD (Chiasmus) does not use any smartcards
but a plain old proprietary 64 bit block length symmetric algorithms.
Users of VS-NfD are eagerly waiting for an easy migration path from that
legacy software to GnuPG (Gpg4win/Gpg4KDE).

> Should we consider our data protected by GnuPG insecure as german
> authorities obviously do?

No they don't.  They even use Gpg4win and GnuPG in house.

> Can or must we take any steps to eliminate or at least mitigate the
> problem in the current modern (2.2.17) and classic 1.4.23) versions of
> GnuPG (e.g. avoid compatibility options like —openpgp)?

Nope.  All is fine and Gpg4win may be used for VS-Nfd if the SecOPs are
followed (e.g a Telesec NetKey 3.0 card is used for the S/MIME keys)

> Is it a problem only with GnuPG or with OpenPGP in general? Are other
> implementations affected as well?

No, there is no bug or issue except for the slow grinding bureaucratic
mills to get an approval for the OpenPGP and S/MIME without a smartcard.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list