[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Implications of GDPR
|
From: |
Daniel Roesler |
|
Subject: |
Re: [Sks-devel] Implications of GDPR |
|
Date: |
Thu, 3 May 2018 11:04:10 -0700 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Is there any way we could look for a "sensitive" flag on a
revocation key packet[1]? "If this flag is set, implementations
SHOULD NOT export this signature to other users except in cases
where the data needs to be available."
[1]: https://tools.ietf.org/html/rfc4880#section-5.2.3.15
Here's some logic:
(1) Receive key via gossip or upload.
(2) Scan signatures for revocation key with "sensitive" flag.
(3) If present, see if revocation key is available in packets.
(4) If available, see if signing key is self-signature.
(5) If self-signature, validate the signature.
(6) If valid, drop the packet that the signature is signing.
Pros:
* Already built into OpenPGP spec.
* Cryptographically secure.
* Packet-level specific (e.g. can "forget" specific emails).
Cons:
* Possibly contorting original intent of the "sensitive" flag.
* Requires starting validating signatures (though this only
requires validating self-signatures, so no worries about
public key availability).
* Likely few clients offer easy-to-use capabilities of making
this type of revocation key signature.
Thoughts?
Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJa607IAAoJEMtwcDcM6wt6J8UH/jM4AK4yeV1kp+lNfuBbM/6v
3N3vkozxirWyWc4cJjwXaFjMnreuNH3BAXHqNSQuVOFHrCMWmaiU2Cvn3IiMf8y7
5d6jDNG1wsaZNpaxRDyUAh4IFX0MbUQg71bhtKNczAl0MCOgEZL7dz2y5rez79b2
nTdTrRHvDHWOmjqZ491Wdsw3jcRGj1hMYHmg02SopOO2BW7qyv+bklFKoIyNNf2Z
tGkZI1Sg/9FFVfyo5ap1exaK4Fe+r2aeA/iTUE6TkDlhHrz7i8/tz2iZv9cYqLFE
ZRsKGOh7Pa88LRBN+ALVNXF0dExf/sgX+TlE0sHLw41Mg6iCUPRNnddrsmFvGiw=
=As7J
-----END PGP SIGNATURE-----
On Thu, May 3, 2018 at 10:21 AM, brent s. <address@hidden> wrote:
> On 05/03/2018 07:40 AM, Moritz Wirth wrote:
>> That does not help because you still Store european data which is still
>> affected by the GDPR.
>>
>> What about only accepting valid keys and removing all revoked or expired
>> keys from the database? If someone wants to have his data deleted he can
>> revoke his key and the revoked signature is synced over all keyservers
>> which then delete them from their own db - new revoked keys are simply
>> rejected.
>>
>
> how do you determine the "validity" of a key? do you mean in the
> technical sense (not expired, revoked, etc.)? because others have
> pointed out the issue with that.
>
> or do you mean proving a user owns a key they push? if so, that has its
> own problems- sure, you could send an email to the email address
> associated with the key and require a reply (such as what
> keyserver.pgp.com did - does? haven't used in a while), BUT...
>
> not all keys have addresses associated (and this is the preferred method
> for addressing the - admittedly, in my opinion, unfounded but still
> commonplace - concern of spammers harvesting email addresses from keys).
>
> --
> brent saner
> https://square-r00t.net/
> GPG info: https://square-r00t.net/gpg-info
>
>
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>
- Re: [Sks-devel] Implications of GDPR, Mike O'Connor, 2018/05/03
- Re: [Sks-devel] Implications of GDPR, Gabor Kiss, 2018/05/03
- Re: [Sks-devel] Implications of GDPR, Ari Trachtenberg, 2018/05/03
- Re: [Sks-devel] Implications of GDPR, brent s., 2018/05/03
- Re: [Sks-devel] Implications of GDPR,
Daniel Roesler <=
- Re: [Sks-devel] Implications of GDPR, dirk astrath, 2018/05/04
- Re: [Sks-devel] Implications of GDPR, Arnold, 2018/05/04
- Re: [Sks-devel] Implications of GDPR, Andrew Gallagher, 2018/05/04