(changing back the thread subject) On 2022-01-29 at 09:38 -0700, jonkomer wrote: > I was the one to suggest to them to use e-mail and OpenPG > encryption. The reasons were two-fold: first to avoid one of > those centralized, web-browser based, single-point-of-failure, > essentially insecure communication setups so common today; > the second was to make their member's communication > interoperable with general Internet population in order > to increase organization's visibility and promote wider > adoption of encrypted e-mail. I posted my original question > only in order to find out some technical details on how to > do that. > > Posting the question was worthwhile, as I have learned > that: > > (a) Unfortunately, OpenPG email encryption is incompatible > with GDPR and should not be used by those that either want > or need to be GDPR compliant.
That's a non-sequitur from the thread. Your GDPR issue is with people uploading keys to the PGP keyservers without consent, not with OpenPGP (which doesn't need keyserver nor even specify the use of keyservers, although they are related technology). Think about it: If you sent me a physical letter full of personal information, and I then publish it on the newspaper, with no legitimacy to do so, in violation of GDPR. Would that make snail-mail incompatible with GDPR? Regarding your problem, I would suggest not to include the first/last name in the key. Only the email address. (Yes, the name part is optional). So instead of John Smith <john....@example.org> if would simply be <john....@example.org> The name part is inherently unreliable, since it cannot know if the owner is *the* John Smith you want to write to (assuming the user is actually named John Smith!). On the other hand, the key can be easily matched with the provided email address. Of course, a member wanting to correspond with John Smith needs to find out that their email is john....@example.org but that was likely already the case before, and something which is probably solved through that "internal verification mechanism" (which I'm a bit wary about, I would recommend that the keys were provided signed by the domain owner, so members would only need to trust(sign) that key to know that they have a valid example.org pgp key. They could be published through WKD. This doesn't preclude that access to the keys could require authentication). A second issue on having the users rely (and the owner needing to assert) on the name displayed on the key would have been what to do when a second John Smith wanted to become a member. Best regards PS: I guess by the "emotional reactions" you mean Robert J. Hansen mails, since replies by other people seem much more technical in nature. You shouldn't generalize from one person to "all creators and maintainers". In fact, I think -but have not checked- that most of GnuPG code will have been written inside the EU. There are lots of OpenPGP users inside the EU, under GDPR, including Government entities (as Robert J Hansen noted). _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
