Call me crazy, but ...

Brandon Anderson brandon753.ba at gmail.com
Thu Jul 15 16:43:08 CEST 2021 

>>> On 14 Jul 2021, at 23:52, Стефан Васильев via Gnupg-users 
>>> <gnupg-users at gnupg.org> wrote:
>>>
>>> It would tell me as 3rd party that for WoT puposes, if this is still 
>>> used,
>>> Alice and her good friend Bob were able to sign their pub keys 
>>> remotely,
>>> based on a free of charge verification method.
>>
>> That’s what ordinary third-party sigs do. Adding medical data to a
>> public key does not add anything to the process.
>
> If it would be only medical data you are correct! But, and here a big 
> but,
> this medical data contains the full name and birthday of the certificate
> holder *digitally signed* by EU *authorities* in this field while the 
> cert
> holder had to show his *valid* ID-card to the issuer.
>
>> You should also beware that medical information is treated as
>> sensitive personal data under GDPR, and this subject to stricter
>> rules. Keyserver operators already have enough legal issues handling
>> ordinary personal data (email addresses etc) without adding
>> vaccination certificates to the dataset.
>
> As I said a duplicate key is not meant for keyserver distribution and
> if this should happen by accident, well than it happened. No one can
> be sued about this. It is or was only said in some news that one should
> not publish such QR-codes on social media.
>
At its core, the problem here is you still are not proving this 
verifiable secret has not been shared with any other party. Are these 
being scanned to go to work? Are these being scanned to travel? Are 
these being used in other hypothetical key exchanges? I am going to 
assume you currently have one of these QR codes. Assuming you want me to 
sign your public key, prove to me now that you have never shared or 
shown it to anyone ever. If you cannot do this, I cannot be assured you 
are the actual party that is sharing it as it could have been an earlier 
party you shared it with or someone eavesdropping on the communication 
channel you shared it upon.

Sincerely,

Brandon Anderson

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x255837AEF812E87E.asc
Type: application/pgp-keys
Size: 15950 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210715/693dad39/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210715/693dad39/attachment.sig>

More information about the Gnupg-users mailing list