On 7/25/2013 3:34 PM, takethe...@gmx.de wrote: > why should I trust gpg4win? I have doubts since it was ordered by the > "Bundesamt für Sicherheit in der Informationstechnik (BSI)", which has > close connections to secret services. Is gunPT any better? Finally, why > should I trust gunpg? I'm a windows user.
Some thoughts -- First, if you're concerned about the involvement of government intelligence agencies then you're on the wrong mailing list. They're already here, and for the most part they're quite helpful individuals. Consider In-Q-Tel. In-Q-Tel is a nonprofit venture capital firm that invests in technology companies for the purpose of keeping the United States intelligence community ahead of the curve. If there's going to be some big sweeping change rocking through the tech world in the next few years, it's In-Q-Tel's job to know about it, potentially to invest in it, and to keep the U.S. intelligence community abreast of it. (In-Q-Tel is *not* a government agency: it just has deep ties to the intelligence community.) Now, if you were to go over a list of In-Q-Tel personnel, you'd find that a very senior person within In-Q-Tel has posted to this list in recent memory, reads this list regularly, and when he speaks generally gives very good advice. (I'm not publicizing this person's name because I don't want him to get deluged in mail. However, he is public about his association with In-Q-Tel, so I don't feel there's a problem with saying this person exists.) Should we shun this person from the community? Would telling this person "hit the road, Jack, we don't want you around here any more" make any of us safer? Or would we instead lose the contributions of someone who has a unique and useful perspective, and who has always given sage counsel? John W. Moore, who hasn't been seen on these lists in a long time, was always quite open about his past as a United States Marine and his time spent working for the NSA while in uniform. John was always patient and helpful with newbies. He was an important part of Enigmail. Should we stop using Enigmail because John W. Moore once worked for Fort Meade? I live in the Washington D.C. metro area and attend a handful of computer forensics conferences around here. A couple of years ago I wound up sitting in an auditorium at the NSA, because they were willing to host one of the conferences. Should I be shunned because I've been inside an NSA auditorium? When I was in graduate school and working in electronic voting, my advisor and I wound up having a couple of conversations with CIA personnel who wanted our opinions on the trustworthiness of foreign elections -- "can the results from this country be trusted?" sort of thing. Should I be shunned because I've briefed a couple of people about the electoral conditions in remote, far-off places? My father is a federal judge: does that make me any more suspect? One of my friends is an FBI agent: maybe that ought disqualify me? ... It is completely natural to have concerns about the trustworthiness of GnuPG and to wonder whether it has ties to the BSI and/or BND. But I respectfully suggest that if you're going to worry about that, you should first worry about the GnuPG community as a whole. Within this community there exist an awful lot of people who have ties to the government, to law-enforcement, to intelligence agencies, and more. But that doesn't mean we're the bad guys, and it doesn't mean the community is endangered because we're present. I believe it's quite the opposite. The In-Q-Tel executive has an incredible perspective on developing technologies, and we all benefit from that. John Moore's firsthand knowledge of history was very useful to us. For me, growing up around government and law-enforcement taught me a lot about how they think and see the world, and I can impart some of that. The moral of the story, I think, is that you shouldn't be worried about the BSI or the BND. Worry about people instead. Ask yourself this question: do you really believe Werner would deliberately compromise GnuPG in order to satisfy a demand from the BND? If your answer is "yes," then you probably shouldn't use GnuPG at all. If your answer is "no," then it doesn't matter if Werner is working for the BND himself. (He's not, by the way.) If you don't believe Werner would do that to you, then there's no problem. In the end, it's all a question of trust... and that means it's something that *only you* can answer. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
