It seems that the implementation of the brainpool-curves by the BSI (Bundesamt für Sicherheit in der Informationstechnik / Laufer) is potentially insecure (hard-coded SHA-1, etc ...); see analysis of the BADA55 Research Team unter DJB, etc.:
https://bada55.cr.yp.to/brainpool.html

See additional informations to the group of brainpool-curves in an example of curve "brainpoolP256t1" at the site of DJB due to investigations on rigidity of elliptic curves: "SafeCurves Rigidity" by "Daniel J. Bernstein" and "Tanja Lange":
http://safecurves.cr.yp.to/rigid.html

CVE-Details to the vulnerability "DragonBlood" in the WPA3 Wi-Fi standard that refers to the usage of brainpool-curves of the BSI:
https://nvd.nist.gov/vuln/detail/CVE-2019-13377#vulnCurrentDescriptionTitle

Details to the vulnerability "DragonBlood" in the WPA3 Wi-Fi standard that refers to the usage of brainpool-curves of the BSI:
https://wpa3.mathyvanhoef.com

and in the Heise Security Forum:

https://www.heise.de/security/meldung/Dragonblood-Neue-Luecken-in-WLAN-Verschluesselung-WPA3-koennten-WPA3-1-noetig-machen-4489397.html#nav_brainpool_kurven__1

In the most recent Security Considerations of the Wi-Fi Alliance ("Security Considerations"), the Diffie-Hellman Groups 27-30 (brainpool groups) are no longer listed in a diplomatic manner (WITHOUT EXPRESSLY REFERING TO THE NON-USE OF BRAINPOOL CURVES ):
https://www.wi-fi.org/file/wi-fi-protected-access-security-considerations

In old Security Considerations of the Wi-Fi Alliance, the Diffie-Hellman Groups 27-30 (Brainpool groups) were still included (Suitable Diffie-Hellman Groups Page 5 / 7):
https://www.wi-fi.org/download.php?file=/sites/default/files/private/WPA3_Security_Considerations_20190410.pdf

Alternative link:
https://wpa3.mathyvanhoef.com/WPA3_Security_Considerations_20190410.pdf

Diffie-Hellman Groups 27-30:

27 224-bit Random ECP group (Brainpool)
28 256-bit Random ECP group (Brainpool)
29 384-bit Random ECP group (Brainpool)
30 512-bit Random ECP group (Brainpool)

These curves were (among others) designed by the BSI (Lochter) ...

http://web.archive.org/web/20180128160329/http://www.ecc-brainpool.org/download/Domain-parameters.pdf

Details on hash-collisions by simulations on a SAGE-system (BADA55-Team):
http://bada55.cr.yp.to/bada55-20150927.pdf

--- cut here ---

For example, Figure 5.1
(designed to be shown tothe public) uses Brainpool’s procedure to generate a 224-bit curve. The outputconsists of the following “verifiably pseudorandom” integers p,a,b defining an elliptic curve y2 = x3 + ax + b over Fp:

p=0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF
a=0x2B98B906DC245F2916C03A2F953EA9AE565C3253E [8AEC4BFE84C659E]<==!!
b=0x6 [8AEC4BF8E84C659E]<==!! BB8B81DC39355A2EBFA3870D98976FA2F17D2D8D

...

In the case of the 160-bit, 224-bit, 320-bit, and 384-bit Brainpool curves, one can immediately demonstrate this discrepancy by observing that the gap listed between “seed A” and “seed B” in [14, Section 11] is larger than 1, while the standard procedure always produces a gap of exactly 1:

11. Validation Data

11.1 brainpoolP160*1-Eval
seed: 2B7E151628AED2A6ABF7158809CF4F3C762E7160
seed_A: 2B7E151628AED2A6ABF7158809CF4F3C762E727A <= !
seed_B: 2B7E151628AED2A6ABF7158809CF4F3C762E727D <= !

--- cut here ---

At the sourcecode of GnuPG, you will see that the "Save Curves" of "Daniel J. Bernstein" (Curve 25519) and "Mike Hamburg" (Curve 448) are disabled, when activating the "VS-NfD" mode (de-vs) of the BSI and that their Barinpool Curves are prioritized.

Best regards ...