Keyservers and GDPR

Bernhard Reiter bernhard at intevation.de
Wed May 23 08:27:04 CEST 2018


Hi Vincent,

Am Dienstag 22 Mai 2018 21:44:09 schrieb Vincent Breitmoser:
> My personal conclusion is that keyservers that support user id packets are,
> quite simply, incompatible with GDPR law. Has anyone else thought about
> this?

thinking about earlier data privacy laws (which were quite similiar to GDPR in 
many respects) and pubkey servers got me to no clear conclusion.

> For OpenKeychain, we plan to move uploading of key material a bit farther
> out of the way and do a better job at informing the user what's going to
> happen.

If our goal is to automate the common case in an end-to-end crypto
mail communication, then asking the user a data privacy agreement question
is a stumbling block. I would degrate the user experience a lot.

Note that if you use WKD with your email provider and just the email address
in the key id (as supported by a policy option), there is no additional 
personal data saved nor communicated. The email provider already has your 
email address and the person asking via WKD also. In addition serving of the
public key on behalf of ther user could be added to the terms of service
of the email provider. Overal I think WKD is doing quite well on the data 
privacy side and will allow a good user experience by not asking each time to 
publish a new pubkey for oneself.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180523/e36c55d7/attachment.sig>


More information about the Gnupg-devel mailing list