Omar Polo op at omarpolo.com
Fri Jun 25 14:51:05 BST 2021
- - - - - - - - - - - - - - - - - - -
Matthias Geier <matthias.geier at antipod.de> writes:
Hello fellow developers
To say that upfront, I searched most of the archive, didn't find that topic
in there
About gdpr and certificates. If I am not mistaken, before I even request
the TLS certificate, I'd need to get a user consent, not to mention storing
it.
On a capsule like station, you can ignore the certificate until you sign
up, but for instance if I want to prevent spam/DoS and check against a
certification authority, I'd need to get permission for that first. Which
beats the purpose partially
Is the manual opt-in to show a cert on a specific domain enough for gdpr
(clients require you to set the cert for the domains)? I can't show a gdpr
warning on the cert missing error, since the spec doesn't allow me to.
IANAL but what about responding with something like
60 Missing certificate: <gdpr warning here>\r\n
Not all clients show the *exact* meta for status codes != 20, but that'sanother issue.
Not to mention other consent stuff for storing and processing information?
I am aware that the small internet won't be sued soon, because no one
cares. However hosting a service in the EU as a private person has become
dangerous and you don't want to end up with a fine in the 10k range for
infringement
Any opinions, best practices, advice, discussion is welcome 🙃