Brandon Anderson wrote:
On 14 Jul 2021, at 23:52, Стефан Васильев via Gnupg-users
<gnupg-users@gnupg.org> wrote:
It would tell me as 3rd party that for WoT puposes, if this is still
used,
Alice and her good friend Bob were able to sign their pub keys
remotely,
based on a free of charge verification method.
That’s what ordinary third-party sigs do. Adding medical data to a
public key does not add anything to the process.
If it would be only medical data you are correct! But, and here a big
but,
this medical data contains the full name and birthday of the
certificate
holder *digitally signed* by EU *authorities* in this field while the
cert
holder had to show his *valid* ID-card to the issuer.
You should also beware that medical information is treated as
sensitive personal data under GDPR, and this subject to stricter
rules. Keyserver operators already have enough legal issues handling
ordinary personal data (email addresses etc) without adding
vaccination certificates to the dataset.
As I said a duplicate key is not meant for keyserver distribution and
if this should happen by accident, well than it happened. No one can
be sued about this. It is or was only said in some news that one
should
not publish such QR-codes on social media.
At its core, the problem here is you still are not proving this
verifiable secret has not been shared with any other party. Are these
being scanned to go to work? Are these being scanned to travel? Are
these being used in other hypothetical key exchanges? I am going to
assume you currently have one of these QR codes. Assuming you want me
to sign your public key, prove to me now that you have never shared or
shown it to anyone ever. If you cannot do this, I cannot be assured
you are the actual party that is sharing it as it could have been an
earlier party you shared it with or someone eavesdropping on the
communication channel you shared it upon.
I or anybody else does not need to do that with you, only *your*
virtual long time friends, having no other good option remotely.
These QR-codes are meant to be carried mostly on a smartphone and if
required the person can show these per request. When those codes are
scanned with authorized apps no data is stored on third party servers
and only the name and birthday is displayed and the signature verified,
while the holder has to show his id-card as well.
Regards
Stefan
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
