Koch: A New Future for GnuPG

Posted Jan 6, 2022 10:29 UTC (Thu) by nilsmeyer (guest, #122604)
Parent article: Koch: A New Future for GnuPG

Does it worry anyone that one of the major pieces of encryption infrastructure is funded by a government?

Koch: A New Future for GnuPG

Posted Jan 7, 2022 5:54 UTC (Fri) by dvdeug (subscriber, #10998) [Link] (1 responses)

Do we trust the people making it? The German governmental groups funding it seem to be doing so for their own use. Shadowy forces working behind the scenes are scary; a bunch of government organizations buying a copy of a program, not so much. I'd also point out that it's not being funded by a government; it sounds like each government organization is making its own decisions about which tools they're using, within certain limits. I'd probably be more scared about AES, which was funded by the US government (cf. the whole Dual_EC_DRBG / NIST SP 800-90A escapade), and in any case, whether you see them or not, the NSA or similar organizations might be behind a cryptography project, and if they are, they're likely to try and stay hidden, especially if their intents are malign.

Trust is hard, but I don't see anything in this pattern that stands out as concerning; the biggest concern is that legitimate sources of money are the way to hide illegitimate sources of money, like from the NSA. (On the other hand, poverty makes someone easier to bribe.) I think it more likely the Germans are the ones getting backdoored here, instead of the one's backdooring, if there is a backdoor.

Koch: A New Future for GnuPG

Posted Jan 9, 2022 2:34 UTC (Sun) by JoeBuck (guest, #2330) [Link]

The German government isn't making it, they are just a customer. If you have suspicions you can audit the code.