From: "Gerd Ewald" To: Subject: [PGP-USERS] E-Mail encryption in Germany: legal situation Date: Sun, 7 May 2000 20:20:51 +0200 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I found a paper published by the German Federal Government on Encryption (privat or commercial) in November 1999. Quite interesting is: ".... The Federal Government has no intention of restricting the free availability of encryption products in Germany. It regards the use of secure encryption as a decisive prerequisite for data protection for the public, for the development of electronic business transactions and for the protection of company secrets...." and ".... 4. The spread of powerful encryption procedures must not undermine the statutory telecommunica-tions surveillance authority of the criminal prosecution and security authorities. The responsible Federal Ministries will therefore continue to monitor developments closely and report on this subject after two years. Independently of this, the Federal Government will support the improve-ment of the technical competencies of the criminal prosecution and security authorities within the framework of its capabilities....." (which means, that the discussion about escrow is paused for two years). Furthermore the German Federal Ministry of Economics and Technology *does not* recommend PGP due to the fact that PGP is sold to NAI and to the rumours that NAI is in deep contact with the NSA. "..... Die Bewertung muss heute aber neu vorgenommen werden, seitdem der PGP-Erfinder Phil Zimmermann sein Produkt verkauft hat und PGP nun im Grunde ein kommerzielles Produkt der US-Firma Network Associates darstellt. Dieses Unternehmen soll seinerseits eng mit der National Security Agency (NSA) kooperieren. Welchen Wert die heute über das Internet vertriebenen Versionen im Hinblick auf die Sicherheit haben, kann nicht mehr beurteilt werden. ...." (I try to translate this passage; I'm not very good in translating, nevertheless I hope you will understand what this paragraph means: ...Since Phil Zimmerman sold PGP to the US-company Network AAssociates, PGP is merely a commercial product as other products are. It is said that this company [Network Associates] does have a close cooperation with the National Security Agency (NSA). With regard to these information PGP's contribution to security and privacy can't be determined. ... (HOPE I DIDN'T SPOIL THE ORIGINAL TOO MUCH !?!) Here are my questions: 1. What is the legal situation about encryption in your country ? 2. What about the rumours NAI-NSA ? BTW, if someone is interested in the whole paper (PDF, 3 pages) and the press conference paper (HTM), feel free to ask: I will forward it to you. The URL of thiese information is: http://www.sicherheit-im-internet.de/home.phtml Gerd -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use Comment: NO SPAM PLEASE ! Gerd Ewald, Velbert, Germany, ID 0xD56C6187 iQA/AwUBORWl8ky/sHrVbGGHEQKWpQCgrxg1X+nH+HbC3iuXXO0yeogpTBsAn0pG /Dv0390OoZH5UgPtPWa0NMDl =iqGP -----END PGP SIGNATURE----- .................................................................... UUnsubscribe: Automated Help/Info: List Homepage: List Admin (human): Please do not send administrative commands to the list address! Thanks. Date: Sun, 7 May 2000 15:37:35 -0400 To: pgp-users@cryptorights.org From: Robert Guerra Subject: [PGP-USERS] PGP & NAI - Alternatives and possible NSA relationship ? At 8:20 PM +0200 2000/5/7, Gerd Ewald wrote: > >Furthermore the German Federal Ministry of Economics and Technology >*does not* recommend PGP due to the fact that PGP is sold to NAI and >to the rumours that NAI is in deep contact with the NSA. There are plenty of rumours, but I haven't seen any concrete proof yet. But, is important is that the openpgp specification is under the control of the IETF. So if for some reason you don't want to trust NAI, then all you have to do is use another openpgp complient application, such as gnupg. http://www.gnupg.de/presse.en.html What is GnuPG? GnuPG is a security application based on cryptographic algorithms. Mostly written in Germany, GnuPG is world renowned to be one of the best security tools available. The characteristics of GnuPG: € GnuPG is a full implementation of OpenPGP, the standard that extends PGP, the de-facto standard for cryptographic tools on the Internet. € GnuPG has been released as free software under the GNU General Public License (GNU GPL). As such, full access to the source code is provided. > >Here are my questions: > >1. What is the legal situation about encryption in your country ? The best reference I have for you is Bert-Jaap Koops's Crypto Law survey Page: http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm It is by far the most complete listing cryptography laws in different countries. >2. What about the rumours NAI-NSA ? Depending on who you talk to, you'll hear different things. I'll let others say what they have heard.. But, what I can say is there are people at NAI who are very much committed to bringing us good, strong crypto that's open for peer review. Since they have always published the source code, you can allways check it out, and compile it for yourself. I've yet hear of anyone finding an intentional security hole in the program. It's got an impressive track record which others would love to have. -- Robert Guerra , Fax: +1(303) 484-0302 WWW Page PGPKeys .................................................................... UUnsubscribe: Automated Help/Info: List Homepage: List Admin (human): Please do not send administrative commands to the list address! Thanks. Date: Sun, 07 May 2000 13:10:56 -0700 From: Will Price To: pgp-users@cryptorights.org Subject: Re: [PGP-USERS] PGP & NAI - Alternatives and possible NSA relationship ? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anyone who knows anything about the history of PGP knows that any such accusation is utter nonsense. We have always published the source code to PGP, and the reputations of all the people in control of PGP at NAI are untarnished and distinctively anti-government. If you're just looking for a random conspiracy theory to believe, remember that PGP development is funded by users, and GPG development is funded by the German government. There is a always a tendency at government levels to prefer domestic solutions to national security concerns. For instance, no one in their right mind would ever use a Checkpoint firewall in the US government. That attitude has no basis in fact of course, but is simply a conspiracy theory. Thus, some German government flunkie writing that NAI may be controlled by the NSA is to be expected in a situation where they have a domestic command line that tries to imitate portions of what PGP was in 1991. Someone in their government would rather use a domestic solution, and FUD is the best way to force people to use an inferior solution rather than the real thing. - -- Will -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 (Build 163 Alpha) iQA/AwUBORXNx6y7FkvPc+xMEQIJAQCgvCak5kHrPY3RJorEVwuueQV8JP8AoMhd xPN9mCLuhNPmqYF2VhsBGHTe =QiAm -----END PGP SIGNATURE----- .................................................................... UUnsubscribe: Automated Help/Info: List Homepage: List Admin (human): Please do not send administrative commands to the list address! Thanks.