Preserving non-central and privacy with a "permission recording keyserver"

Michał Górny mgorny at
Tue Jul 9 19:45:17 CEST 2019

On Tue, 2019-07-09 at 16:09 +0200, Dominik Schuermann wrote:
> On 7/9/19 2:51 PM, Bernhard Reiter wrote:
> > > We could even take the upload as implicated
> > > consent on the legal state.
> > 
> > Probably not, because somebody else may just create a key with a user id that 
> > contains personal data of a different person
> Yep, exactly. GDPR is all about consent (Art 7). Consent can not be
> given implicitly. This is generally interpreted in a way that leads to
> the requirement of a double opt-in. This ensures that consent is given
> by the person related to this PII ('data subject'). In simple terms: If
> I upload a key with Bernhard's email address, Bernhard must be asked to
> give consent. This works by sending an email to Bernhard.
> One goal of is that it's GDPR-compliant. Thus, email
> validation using double opt-in is implemented.

I don't really understand why e-mail validation is proper consent to
real name which is not verified at all.

Best regards,
Michał Górny

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Gnupg-devel mailing list