GDPR and the protocol implications

Omar Polo op at
Fri Jun 25 14:51:05 BST 2021

Matthias Geier <matthias.geier at> writes:

> Hello fellow developers
> To say that upfront, I searched most of the archive, didn't find that topic
> in there
> About gdpr and certificates. If I am not mistaken, before I even request
> the TLS certificate, I'd need to get a user consent, not to mention storing
> it.
> On a capsule like station, you can ignore the certificate until you sign
> up, but for instance if I want to prevent spam/DoS and check against a
> certification authority, I'd need to get permission for that first. Which
> beats the purpose partially
> Is the manual opt-in to show a cert on a specific domain enough for gdpr
> (clients require you to set the cert for the domains)? I can't show a gdpr
> warning on the cert missing error, since the spec doesn't allow me to.

IANAL but what about responding with something like

	60 Missing certificate: <gdpr warning here>\r\n

Not all clients show the *exact* meta for status codes != 20, but that's
another issue.

> Not to mention other consent stuff for storing and processing information?
> I am aware that the small internet won't be sued soon, because no one
> cares. However hosting a service in the EU as a private person has become
> dangerous and you don't want to end up with a fine in the 10k range for
> infringement
> Any opinions, best practices, advice, discussion is welcome 🙃

More information about the Gemini mailing list