[Sks-devel] Recent Article

2019-08-20 Thread stuff 
Found this article:

https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it

Yakamo

-- 


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] GDPR (equine corpse) (WAS: Re: The pool is shrinking)

2019-08-20 Thread brent s. 
On 8/20/19 6:05 AM, Tobias Mueller wrote:
(SNIP)
>> This means not only are keydumps allowed for research (§2), but the
>> SKS in general (ESPECIALLY US servers and operators, which I'll get to
>> in a moment) is exempt - we provide "...archiving purposes in the
>> public interest" (§3). Frankly put, we make GPG *work*. GPG is a
>> *very* valuable public tool - zero-trust-model public cryptography is
>> impossible without the Web-of-Trust. Ergo, exempt. It's that simple.
> No. And no, it's not.
> You are reading this wrongly.
> §89 says that member states *can* enact laws which exempt controllers
> from their duties with respect to erasure or correction *iff* the
> legitimate ground is the public interest (which itself is highly
> questionable).
> You don't gain anything from this §89 GDPR if member states do not
> create a law. And even then you wouldn't be fully exempt (as you
> suggest), but rather have an easier life as a controller.
> If we require member states to enact laws, then we're better off
> pursuing laws based on §85 GDPR, but that'd go too far for this
> discussion here.  I'm happy to have this elsewhere.
> 
> Cheers,
>   Tobi
> 


Sure; while §17(d) makes allowance via §89, it would - for example -
require a UK operator to associate with the Nat'l Registry of
Archives[0] to get the furthest extent of legal coverage (under §89
*specifically*).

However, the GDPR also makes exemption for TEU, Title V (2)(b) as well
without requiring a member state to make allowance. So an EU operator
could, should they fear GDPR repercussions, either 1.) pursue enacted
legislation/established archival status within their member state to
come under protection of §89 OR 2.) appeal to be a provider a service
under TEU Title V.

Worth noting that Article 23 of GDPR also allows derogations for public
security as well.

HOWEVER, also note that *processing* of keys would fall under Article 6
(1)(f) (legitimate interest being defined via Recital 49) which requires
no explicit derogation of member states. Being that the public key is
necessary for the operation of the processing of keys in the duties of
"...preventing .. malicious code distribution"(Recital 49)(though GPG
itself serves a much broader use to protect the rights and freedoms of
EU citizens as well, which are widely covered throughout the GDPR) -
such as GPG signatures on release tarballs, for instance - the erasure
situation can be considered covered as well.

GPG *also* enables compliance with Article 32(1)(a) and (b).

Of course, this is all untested because to my knowledge an EU keyserver
operator hasn't been challenged and it hasn't been brought to an EU
court yet, so there's no established example. But the case is quite
strong for the keyserver operator, I'd say.



[0] https://www.nationalarchives.gov.uk/

-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info



signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] GDPR (equine corpse) (WAS: Re: The pool is shrinking)

2019-08-20 Thread Tobias Mueller 
Hi,

On Fri, 2019-08-16 at 19:28 -0400, brent s. wrote:
> SO for starters, please keep this off the "pool is shrinking" thread.
> I'd like to see that thread relevant to resolving resiliency issues of
> the SKS network, given that's the actual purpose behind starting that
> thread. GDPR is off-topic to that thread and, quite frankly, it's
> getting *extremely* annoying seeing GDPR bickering in a thread I'm
> trying to follow for technical solutions to an actual technical
> problem.
I understand you and I think many of us are in the same boat.
Yet, let me quickly refute a statement of yours before it becomes
folklore.


> Take special notice of Article 89[3].
> 
> This means not only are keydumps allowed for research (§2), but the
> SKS in general (ESPECIALLY US servers and operators, which I'll get to
> in a moment) is exempt - we provide "...archiving purposes in the
> public interest" (§3). Frankly put, we make GPG *work*. GPG is a
> *very* valuable public tool - zero-trust-model public cryptography is
> impossible without the Web-of-Trust. Ergo, exempt. It's that simple.
No. And no, it's not.
You are reading this wrongly.
§89 says that member states *can* enact laws which exempt controllers
from their duties with respect to erasure or correction *iff* the
legitimate ground is the public interest (which itself is highly
questionable).
You don't gain anything from this §89 GDPR if member states do not
create a law. And even then you wouldn't be fully exempt (as you
suggest), but rather have an easier life as a controller.
If we require member states to enact laws, then we're better off
pursuing laws based on §85 GDPR, but that'd go too far for this
discussion here.  I'm happy to have this elsewhere.

Cheers,
  Tobi


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel