• Gpg4all2015

Contract 'Gpg4all' 2015

October 2015 - July 2017

Results

Software improvement were directly made 'in upstream', so that Gpg4win 3.0 release candidates included the Outlook-Plugin with OpenPGP/MIME and Exchange-support, the updated crypto engine GnuPG with elliptic curve cryptography and an improved crypto expert interface.

The research about about OpenPGP crypto usage for web applications and Android was published August 2016 under a CC-BY-SA license directly by the BSI (in German):

• Nutzung von OpenPGP auf Android
• Nutzung von OpenPGP in Webanwendungen
  • cited in https://posteo.de/blog/unsere-vorabinformation-zum-neuen-test-der-stiftung-warentest

Goals

• Maintenance and development of Gpg4win: Adapt it to new versions of Windows and Outlook. Consider current cryptographic recommendations. Integrate GnuPG 'modern'. Clean up Kleopatra.
• Research: How can GpgOL do MIME? How can the existing implementation be made more secure?
• Research: How could GnuPG and email/file end-to-end security be brought to webbrowsers and android devices?

Workpackages

• WP1.1: GpgOL
  • Feasibility study: MIME support for MS Outlook
  • Feasibility study: Exchange support for MS Outlook
  • 64-bit version of GpgOL for MS Outlook 2010/2013/2016
  • Test plan
• WP1.2: Improve Kleopatra
  • Initial setup dialog
  • Initialization of OpenPGP smart cards
  • Associate file extensions with Kleopatra
  • Auto import of missing certificates
  • Easier setting of owner trust after import
  • Improvements in several certificate related function and dialogs, e.g.
    • Creation of revocation certificates
  • Update Kleopatra to Qt5 and KDE Frameworks 5, reduce KDE dependencies, add more languages for Kleopatra
  • Test plan
• WP1.3: Gpg4win: general improvements
  • Notification of available updates
  • Pinentry: show/hide passphrase in clear text
  • Revision of the compendium (German language version)
  • Update GnuPG to 'modern' (v>2.1). Allows e.g. ECC.
• WP1.4: Extended Quality assurance of Gpg4win
  • Estimation for an automated build and test environment for Gpg4win
  • Some additional automated tests
• WP2: Study about using OpenPGP in web browsers
  • Technical requirements
  • Analysis of available plugin/addon interfaces in Firefox and Chrome
  • Description of available plugins/addons implementations providing OpenPGP
  • Recommendations, including effort estimation and risk when improving an existing Free Software implementation or developing a new one.
• WP3: Study about using GnuPG on Android
  • Technical requirements
  • Analysis of Android. How to integrate a crypto "service" based on GnuPG?
  • Description of available Android implementations using OpenPGP
  • Recommendations, including effort estimation and risks when improving an existing Free Software implementation or developing a new one.

Principal BSI

In 2015 the German Federal Office for Information Security (BSI) contracted Intevation and g10 Code for the 'Gpg4all' project. The public tender was published in April, work started in October.

Team

The German companies Intevation GmbH and g10 code GmbH are the main technical drivers behind Gpg4win and GnuPG. For the tasks at hand they have secured additional expertise and help by the following subcontractors:

• Thomas Oberndörfer (Mailvelope GmbH)
• Dominik Schürmann (TU Braunschweig, OpenKeychain)
• Vincent Breitmoser (OpenKeychain)
• Oskar Hahn
• KDAB (Deutschland) GmbH & Co. KG

Contact

Prefered: via the public channels of Gpg4win or GnuPG.

Alternatively send email to the project manager Emanuel (69A911FC) or his deputy Bernhard (EFF5D42A) from Intevation. Encryption appreciated. ;-)