Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Shouldn't PGP keyservers be redesigned to be compatible with GDPR?
3 points by humanfromearth9 on Nov 17, 2020 | hide | past | favorite | 1 comment
The GDPR allows individuals to request correction or deletion of their personal data, as well as restrict the usage done with this personal data, for example, request that the data is not shared with third parties. The GDPR also allows a user to request the list of third parties with which their personal data has been shared. Also, please note that the GDPR legally protects European users also from organisations located outside the European Union.

The nature of the information stored on PGP keyservers makes it personal data, as it allows to identify individuals related to this data, using their email address.

PGP keyservers are implemented to 1) synchronise keys (and the associated revocation data) and 2) make the keys immutable (they cannot be deleted, only revoked).

Now, if any user protected by the GDPR wanted to have their personal data (thus keys) modified or deleted, any organisation that would be requested for this change would have a hard time not completely taking down their PGP keyserver in order to comply. PGP keyservers and their key sharing protocol are old systems that are barely maintainable. They just run, and until GDPR, it was enough. It might prove difficult to modify their code reliably...

I think a redesign of keyservers is long due. Actually, I am not even sure that keyservers are necessary at all. Why not just have PGP keys published using DNS?

Any thoughts?



See https://keys.openpgp.org/about/news#2019-06-12-launch for pointers to relevant discussions around this.

Plenty of arguments have been exchanged, and some active steps have been taken. Like the keyserver now also default in Thunderbird (and GnuPG?). There is always more things that can be discussed, and more things to be implemented. I suggest you browse the relevant conversation archives in the most relevant places, and engage there if you want to discuss more.

see e.g. SKS, gnupg, enigmail, autocrypt lists:

May 2018: http://nongnu.13855.n7.nabble.com/SKS-apocalypse-mitigation-...

Also May 2018: https://lists.gnupg.org/pipermail/gnupg-devel/2018-May/threa...

October & November 2018: https://admin.hostpoint.ch/pipermail/openpgp-email_enigmail....

From that thread, by the author of GnuPG, Werner Koch: https://admin.hostpoint.ch/pipermail/openpgp-email_enigmail....

Also beyond GDPR, the underlying implementation of what powers the "modern" keys.openpgp.org, Hagrid, groups a lot of interesting "what should a modern keyserver look like" discussions. To pick some examples: https://gitlab.com/hagrid-keyserver/hagrid/-/issues/131 (improve refresh operations) and https://gitlab.com/hagrid-keyserver/hagrid/-/issues/139 (padding for privacy)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: