Certified OpenPGP-encryption after release of Thunderbird 78

Binarus lists at binarus.de
Fri May 29 08:48:05 CEST 2020 


On 28.05.2020 23:21, Stefan Claas wrote:
> 
> while it is not my business, I do not understand why you have to take
> care about the Thunderbird issue, as a users and not the
> Aufsichtsbehörde ... If for example you have a job at the
> Aufsichtsbehörde then ok, like I said, I would contact gnupg.com and
> ask them if GnuPG Desktop (A Windows app) fits for your working
> environment and in case not what they would suggest, because the
> Aufsichtsbehörde should have IMHO funds to issue a professional
> licensed working solution for their employees.
> 
> In case you only have to deal as a gpg4win user with the
> Aufsichtsbehörde via email, then I don't understand how would they
> detect if you would not comply by using later the new Thunderbird,
> without BSI approval.

This is not my field, but I believe that (besides authorities) there are
companies or other institutions which *must* use certified encryption
solutions. Some ideas:

- The OP might be employed at a city administration of a small village
where the full set of regulations is relevant, but where there is no
money (as in many small villages) to buy support.

- The OP might be employed at a company like a hospital, a nuclear
plant, a company which develops or sells military goods, a law office, a
tax office, a (medical) insurance, a bank, and so on - you get the idea :-)

While I actually don't know in detail which sort of company is bound by
which regulation, I am sure that there are dozens of company types and
hundreds, if not thousands of companies which are legally restricted to
use only BSI-certified encryption software, especially companies which
handle sensitive personal data or which compromise public safety if they
let leak data.

Even more, since the arrival of the GPDR, each company -even the
smallest one- has to put significant effort into protecting personal
data, and has to document in detail their respective policies and
methods. When implementing the respective concepts and explaining /
documenting why they are safe and how they protect personal data, it is
of great help when the BSI has certified as many parts of the software
as possible.

Furthermore, to me, the OP sounds if he is not only employed at a
company as a normal user, but as a part-time admin who has been asked to
implement the email infrastructure for his colleagues besides his normal
work (because the management as usual does not understand the importance
and value of such work and the expertise and time which is needed).

Regards,

Binarus

More information about the Gnupg-users mailing list