Hi, In order to get a fruitful dialogue on these matters, some clarifications regarding the role of the sks-keyservers.net pool of keyservers seems necessary.
sks-keyservers.net is not an organization, but is an automated service, operated by me as a private individual, that detects public keyservers through crawling the open internet. The service has been offered free of charge to the public [since 2006], at which point it replaced a previous service of a similar nature, and with [the source code open source]. The service functions by generating the necessary DNS records for a [DNS Round-Robin] consisting of underlying keyservers that matches the necessary criteria to be considered up to date with the overall ecosystem. Since this discussion affects the overall OpenPGP ecosystem, and these matters relates to security enhancing software, of which transparency between the various operators within the system is imperative; I've CCed a relevant mailing list with matters related to keyservers. Please keep this mailing list CCed in all further communications on this matter. With regards to the specific claims a request for deletion was received on 5/29/18, 2:24 PM CET. A response was sent 5/31/18, 11:21 PM that (i) explained that sks-keyservers.net is not the appropriate recipient for a request to delete as it only links to underlying keyservers that store the data, and these are operated by more than 100 different operators world-wide, and linking to [the blog post regarding deletion requests] that is written and used for similar such requests describing this situation. A keyserver operates in a blockchain like model of always adding data, never deleting it. Some discussions are currently ongoing in the community with regards to alternative models for the keyservers to operate, however they will all imply changing the security model that has been used by the PGP Web of Trust for several decades, but no consensus has currently been reached. These discussions can be found in the archives of the sks-devel mailing list well as other relevant mailing lists. In any case, sks-keyservers.net service only generates DNS records such as $ dig a pool.sks-keyservers.net ;; ANSWER SECTION: pool.sks-keyservers.net. 3588 IN A 74.50.54.68 pool.sks-keyservers.net. 3588 IN A 130.133.110.62 pool.sks-keyservers.net. 3588 IN A 85.93.216.115 pool.sks-keyservers.net. 3588 IN A 130.206.1.111 pool.sks-keyservers.net. 3588 IN A 37.44.0.28 pool.sks-keyservers.net. 3588 IN A 178.32.66.144 pool.sks-keyservers.net. 3588 IN A 193.70.2.173 pool.sks-keyservers.net. 3588 IN A 178.175.148.28 pool.sks-keyservers.net. 3588 IN A 85.227.82.204 pool.sks-keyservers.net. 3588 IN A 192.146.137.98 and is not the correct recipient for any such request. References: [the source code open source] https://git.sumptuouscapital.com/?p=sks-keyservers-pool.git;a=summary [DNS Round-Robin] https://en.wikipedia.org/wiki/Round-robin_DNS [since 2006] (i) https://lists.nongnu.org/archive/html/sks-devel/2006-12/msg00002.html (ii) https://blog.sumptuouscapital.com/2016/12/10-year-anniversary-for-sks-keyservers-net/ [the blog post regarding deletion requests] https://blog.sumptuouscapital.com/2016/03/openpgp-certificates-can-not-be-deleted-from-keyservers/ On 2/19/19 11:32 AM, casew...@ico.org.uk wrote: > 19 February 2019 > > > > *Case Reference Number RFA0751305* > > > > Dear Mr Fiskerstrand > > > We are writing to you because we have received a complaint from Mr Dean > Hughes regarding the way SKS Keyservers handles its data protection > obligations. > > *The ICO’s role * > > Part of our role is to consider complaints from individuals who believe > their data protection rights have been infringed. > > *Complaint raised with us* > > Mr Hughes has complained that SKS Keyservers has not complied with his > request for erasure. Mr Hughes has complained that the keyservers share > and make personal details publically available, such as his name and > email addresses. > > Mr Hughes has stated that he willingly submitted his personal data to > your organisation years ago but would now like for it be deleted from > both your organisation’s keyservers and the keyservers with which also > shared his data. > > Furthermore, it has been suggest that the records Mr Hughes has asked to > be deleted contain personal data from more than 20 years ago, which > include his name and email addresses. > > *What you need to do now* > > We want you to revisit the way you have handled this matter and consider > any further action that you can take that may resolve this complaint. > > If you feel that you have complied with the Data Protection law in this > case, please explain to us why. > > We would also like you to provide the following information: > > * Details of how you have handled this request for erasure. > > * Details of why Mr Hughes did not receive a response from SKS > Keyservers when exercising his rights. > > * Details of the organisation’s retention notice (as it would seem > that this is not on the website). > > * Details of SKS Keyservers’ lawful basis for processing this data and > why it is disclosing individuals’ –including Mr Hughes’– data > publically. > > * Details of any safeguards in place to help ensure you handle > personal data properly, particularly in relation to this specific > matter. > > * Details of any steps you have taken to add to or strengthen these > safeguards. > > > For your reference I have attached evidence that supports Mr Hughes’ > data protection concerns pertaining to his personal data. > > On a separate note, we would like to see a copy of SKS Keyservers’ > privacy policy to ensure that the organisation is compliant with its > information rights and practices. This is because, it would appear that > there is not a privacy policy on the website and this is an obligation > under the new legislation, to inform its users, transparently, that the > organisation is processing information that acts accordingly with GDPR > and the Data Protection Act 2018 (‘DPA’). > > You must provide this response as soon as possible and in any event > within *14 days*. > > If you do not provide the information we have requested, we will either > base our decision on the information available or consider issuing an > Information Notice. > > *Advice and assistance* > > Our website contains advice and guidance about the processing of > personal data and an organisation’s obligations under the Data > Protection law. I recommend that you review the information on our > website before finalising your reply. > > Should you wish to discuss this case any further, or require any > clarification, please do not hesitate to contact me. > > Yours sincerely > > Ryan Garner > Case Officer > Information Commissioner’s Office > 0330 414 6876 > > *ICO Statement* > You should be aware that the Information Commissioner often receives > request for copies of the letters we send and receive when dealing with > casework. Not only are we obliged to deal with these in accordance with > the access provisions of the data protection framework and the Freedom > of Information Act 2000, it is in the public interest that we are open > and transparent and accountable for the work that we do. > > For information about what we do with personal data see our privacy > notice at www.ico.org.uk/privacy-notice > <http://www.ico.org.uk/privacy-notice> > -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws
Email sent 29/5/18: Date: Tue, 29 May 2018 13:24:17 +0100 Subject: GDPR Erasure Request From: Dean Hughes <d...@hopcount.com> To: kristian.fiskerstr...@kfwebs.net Dear Kristian, please find below a request exercising the GDPR right to erasure. I would be grateful if you would remove the following keys from your servers and storage devices and other third-party services with which your service shared this personal data. These records contain personal data that identify me as an individual pub 1024D/43AC5195 1998-11-25 Key fingerprint = 95BD F734 73C7 569E 5BDA CB78 1E21 55B4 43AC 5195 pub 1024D/6206C662 1997-12-20 Key fingerprint = AB92 4165 BCA2 7335 31F8 D1CC A353 ED76 6206 C662 pub 1024D/332B560B 2006-04-27 Key fingerprint = 3C7F FF39 CA2B 8022 0475 ECF2 C2F2 0E7B 332B 560B pub 1024D/826DB190 2001-11-18 Key fingerprint = D767 DAC9 B3EB CB15 7964 7CC9 9E54 EBE1 826D B190 pub 1024R/95E81DB5 1994-08-07 Key fingerprint = 1A C6 43 10 1B DE 8F 22 CC 4F 6E 50 DF E4 98 51 pub 1024D/F70C5551 1997-11-01 Key fingerprint = 92B2 48A3 D986 61B0 2DA1 AAAC 8B6E 6725 F70C 5551 Regards. Dean Hughes Reminder send 31/5/2018: Date: Thu, 31 May 2018 22:14:35 +0100 Subject: Re: GDPR Erasure Request From: Dean Hughes <d...@hopcount.com> To: kristian.fiskerstr...@kfwebs.net, k...@eika.no, k...@gnupg.net Hi Kristian I haven't received a response to my request therefore I am copying the email to your other email addresses. You should be aware that under the GDPR data processors and controllers are legally bound to delete personal data within 30 days of receiving a request. Regards. On 29 May 2018 at 13:24, Dean Hughes <d...@hopcount.com> wrote: > Dear Kristian, please find below a request exercising the GDPR right to > erasure. > > I would be grateful if you would remove the following keys from your > servers and storage devices and other third-party services with which your > service shared this personal data. These records contain personal data > that identify me as an individual > > > pub 1024D/43AC5195 1998-11-25 > Key fingerprint = 95BD F734 73C7 569E 5BDA CB78 1E21 55B4 43AC 5195 > > pub 1024D/6206C662 1997-12-20 > Key fingerprint = AB92 4165 BCA2 7335 31F8 D1CC A353 ED76 6206 C662 > > pub 1024D/332B560B 2006-04-27 > Key fingerprint = 3C7F FF39 CA2B 8022 0475 ECF2 C2F2 0E7B 332B 560B > > pub 1024D/826DB190 2001-11-18 > Key fingerprint = D767 DAC9 B3EB CB15 7964 7CC9 9E54 EBE1 826D B190 > > pub 1024R/95E81DB5 1994-08-07 > Key fingerprint = 1A C6 43 10 1B DE 8F 22 CC 4F 6E 50 DF E4 98 51 > > pub 1024D/F70C5551 1997-11-01 > Key fingerprint = 92B2 48A3 D986 61B0 2DA1 AAAC 8B6E 6725 F70C 5551 > > Regards. > > Dean Hughes > Response received 31/5/2018: On 05/31/2018 11:14 PM, Dean Hughes wrote: > Hi Kristian I haven't received a response to my request therefore I am > copying the email to your other email addresses. You should be aware that > under the GDPR data processors and controllers are legally bound to delet= e > personal data within 30 days of receiving a request. I do not intend to do anything about this request, for one thing it isn't specific to what services you're referring to, but presuming it is keys2.kfwebs.net I could delete it, but it is part of the global keyserver network that a globally gossiping network, so it would be re-added within the next recon round. See https://blog.sumptuouscapital.com/2016/03/openpgp-certificates-can-not-be-d= eleted-from-keyservers/ but do with it as you want --=20 ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Divide et impera Divide and govern gpg: searching for "43AC5195" from hkp server pool.sks-keyservers.net (1) Anonymous Dean Hughes <d...@dplex.com> 1024 bit DSA key 43AC5195, created: 1998-11-25, expires: 2018-05-29 (expired) ------------------------------ gpg: searching for "6206C662" from hkp server pool.sks-keyservers.net Dean Hughes <d...@cog.nu> Dean Hughes <d...@con0.com> Dean Hughes <ICQ:40843878> Dean Hughes <d...@null.net> Dean Hughes <d...@hopcount.com> Dean Hughes <d...@cog.clara.net> Dean Hughes <d...@hopcount.com> Dean Hughes <hughe...@anc.co.uk> Dean Hughes <dean.hug...@gmail.com> Dean Hughes <deanhug...@ntlworld.com> Dean Hughes <d...@lifeform.demon.co.uk> 1024 bit DSA key 6206C662, created: 1997-12-20, expires: 2018-05-29 (expired) ------------------------------ gpg: searching for "332B560B" from hkp server pool.sks-keyservers.net Dean Hughes <d...@o9.org> 1024 bit DSA key 332B560B, created: 2006-04-27, expires: 2018-05-29 (expired) ------------------------------ gpg: searching for "826DB190" from hkp server pool.sks-keyservers.net (1) Dean Hughes <d...@con0.com> 1024 bit DSA key 826DB190, created: 2001-11-18 ------------------------------ gpg: searching for "95E81DB5" from hkp server pool.sks-keyservers.net (1) Dean Hughes <Fido 2:256/502.99> 1024 bit RSA key 95E81DB5, created: 1994-08-07 ------------------------------ gpg: searching for "F70C5551" from hkp server pool.sks-keyservers.net (1) Dean Hughes <d...@lifeform.demon.co.uk> 1024 bit DSA key F70C5551, created: 1997-11-01 (revoked)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel