BerandaComputers and TechnologyAsk HN: Shouldn't PGP keyservers be redesigned to be compatible with GDPR?

Ask HN: Shouldn’t PGP keyservers be redesigned to be compatible with GDPR?

The GDPR allows individuals to request correction or deletion of their personal data, as well as restrict the usage done with this personal data, for example, request that the data is not shared with third parties. The GDPR also allows a user to request the list of third parties with which their personal data has been shared.
Also, please note that the GDPR legally protects European users also from organisations located outside the European Union.

The nature of the information stored on PGP keyservers makes it personal data, as it allows to identify individuals related to this data, using their email address.

PGP keyservers are implemented to 1) synchronise keys (and the associated revocation data) and 2) make the keys immutable (they cannot be deleted, only revoked).

Now, if any user protected by the GDPR wanted to have their personal data (thus keys) modified or deleted, any organisation that would be requested for this change would have a hard time not completely taking down their PGP keyserver in order to comply. PGP keyservers and their key sharing protocol are old systems that are barely maintainable. They just run, and until GDPR, it was enough. It might prove difficult to modify their code reliably…

I think a redesign of keyservers is long due. Actually, I am not even sure that keyservers are necessary at all. Why not just have PGP keys published using DNS?

Any thoughts?



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments