💾 Archived View for rawtext.club › ~sloum › geminilist › 006797.gmi captured on 2023-11-14 at 09:05:32. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

GDPR and the protocol implications

Omar Polo op at omarpolo.com

Fri Jun 25 14:51:05 BST 2021

- - - - - - - - - - - - - - - - - - - 

Matthias Geier <matthias.geier at antipod.de> writes:

Hello fellow developers
To say that upfront, I searched most of the archive, didn't find that topic
in there
About gdpr and certificates. If I am not mistaken, before I even request
the TLS certificate, I'd need to get a user consent, not to mention storing
it.
On a capsule like station, you can ignore the certificate until you sign
up, but for instance if I want to prevent spam/DoS and check against a
certification authority, I'd need to get permission for that first. Which
beats the purpose partially
Is the manual opt-in to show a cert on a specific domain enough for gdpr
(clients require you to set the cert for the domains)? I can't show a gdpr
warning on the cert missing error, since the spec doesn't allow me to.

IANAL but what about responding with something like

60 Missing certificate: <gdpr warning here>\r\n

Not all clients show the *exact* meta for status codes != 20, but that'sanother issue.

Not to mention other consent stuff for storing and processing information?
I am aware that the small internet won't be sued soon, because no one
cares. However hosting a service in the EU as a private person has become
dangerous and you don't want to end up with a fine in the 10k range for
infringement
Any opinions, best practices, advice, discussion is welcome 🙃