Preserving non-central and privacy with a "permission recording keyserver"
dominik at schuermann.eu
Tue Jul 9 16:09:35 CEST 2019
On 7/9/19 2:51 PM, Bernhard Reiter wrote:
>> We could even take the upload as implicated
>> consent on the legal state.
> Probably not, because somebody else may just create a key with a user id that
> contains personal data of a different person
Yep, exactly. GDPR is all about consent (Art 7). Consent can not be
given implicitly. This is generally interpreted in a way that leads to
the requirement of a double opt-in. This ensures that consent is given
by the person related to this PII ('data subject'). In simple terms: If
I upload a key with Bernhard's email address, Bernhard must be asked to
give consent. This works by sending an email to Bernhard.
One goal of keys.openpgp.org is that it's GDPR-compliant. Thus, email
validation using double opt-in is implemented.
More information about the Gnupg-devel