OpenPGP key verification + legal framework

NdK ndk.clanbo at
Mon Nov 5 21:50:28 CET 2018

On 05/11/18 17:56, Viktor wrote:

> If my counterparty had signed some contract or document, he/she should
> not be able to delete his/her public key certificate and data used for
> its verification.
IMVHO You're just (badly) reinventing X509.

> This is exactly the part that is difficult to ensure, especially given
> the new European legislation (GDPR). We needed to develop a
> justification for this. We had registered by U.K. Information
> Commissioner's Office ( , hired certified Data
> Protection Officer etc.
Then, again IMVHO, you should have registered in a country that's
supposed to *remain* in the EU...

> For now we have connected notaries only in Tel Aviv and Kyiv.
CACert does have quite a lot of notaries, but they're still not enough
for an average user: I made a 600km trip just to meet one. It's simply
not good at the economic level: I can buy a smartcard with an already
legally recognized and binding signature for 3y at 50€ (IIRC).
Moreover, if you just verify the mail address you're not identifying the
user, just "someone that currently controls that address". The same can
of worms faced by LetsEncrypt with DV certs.


More information about the Gnupg-users mailing list