Preserving non-central and privacy with a "permission recording keyserver"
Michał Górny
mgorny at gentoo.org
Tue Jul 9 19:45:17 CEST 2019
On Tue, 2019-07-09 at 16:09 +0200, Dominik Schuermann wrote:
> On 7/9/19 2:51 PM, Bernhard Reiter wrote:
> > > We could even take the upload as implicated
> > > consent on the legal state.
> >
> > Probably not, because somebody else may just create a key with a user id that
> > contains personal data of a different person
> Yep, exactly. GDPR is all about consent (Art 7). Consent can not be
> given implicitly. This is generally interpreted in a way that leads to
> the requirement of a double opt-in. This ensures that consent is given
> by the person related to this PII ('data subject'). In simple terms: If
> I upload a key with Bernhard's email address, Bernhard must be asked to
> give consent. This works by sending an email to Bernhard.
>
> One goal of keys.openpgp.org is that it's GDPR-compliant. Thus, email
> validation using double opt-in is implemented.
>
I don't really understand why e-mail validation is proper consent to
real name which is not verified at all.
--
Best regards,
Michał Górny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190709/2792f3ab/attachment.sig>
More information about the Gnupg-devel
mailing list