Re: [Sks-devel] Implications of GDPR

[dirk astrath]

Hi,

It may make sense to keep a revoked key in our database:

How is your decision, if a key can't be found on a keyserver?

Trust on first use? Don't trust?

If my key gets compromised, I want to tell the community: DO NOT trust
this key ... so I revoke it.

Therefore:

If revoked (or expired) keys are removed from keyservers, I'm unable to
tell this anymore.


Another issue are the "fake" keys or keys, which have been uploaded a
looooong time ago.

Even if you're the owner (or former owner) of the
username/mailadress-combination you're unable to revoke the key or add
any (trusted) signature to this key so it will get removed (or unlisted).

So these key can't get removed from the database.

Well ... using any fake email-adress i would be able to write "somebody"
"please remove my key from keyserver", but ... how am I able to proof
that I'm the one who is allowed to get this key removed?
And ... even if I have to answer to a "ping"-mail: If the domain doesn't
exist anymore (or belongs to somebody else) I will not be able to answer
and therefore confirm the deletion.


All in all:

It's not easy to find a perfect solution (if there is any) ... and it's
not the first time we have this discussion ...

... the first time I remember it was after the talk on OHM 2013
"Trolling the Openpgp-Web-of-trust" ... unfortunately nothing changed
since then ... ;-(

Kind regards,

dirk

signature.asc
Description: OpenPGP digital signature