Re: [exim] for europeans only: EU GDPR and mitigation of CV…

Top Page

Reply to this message
Author: Niels Dettenbach
To: exim-users
Subject: Re: [exim] for europeans only: EU GDPR and mitigation of CVE-2019-15846
Am Freitag, 6. September 2019, 14:37:23 CEST schrieb Cyborg via Exim-users:
> Article 32 p 1 EU GDPR states, that the transport of personal data has
> to be protected,

I know that cr**, but:

- just "forcing" TLS is not "securing", because many servers until today use
certificates without a certificate signed from the x509 CA "mob" (BA - who
financed the "encrypt everything" campaign in EU, W3org and others).

- if a user decides to send his emails without encryption (senders as
recipients in Email are responsible for their "own side", incl. MX as MTA on
their side - if they (whyever) decide not to use encryption (i.e. because
they are only allowed to send unencrypted because of their local law), this
should be "their thing".

This EU law is still producing a huge amount of new law insecurity (because
of i.e. contradictory rules as policies with very wide rooms for
interpretations) and existencial fines (for companies - not really for public
/ gov entities for which services you can't decide...) are existencially. by
this law, even a post card (service) could be "violating"...

The internet is a global network of non geolocatable users and it is ugly how
that EU law is still affecting non-EU companies (see i.e. the destroyed WHOIS
of many non-EU Registries) and limits our access to non EU news sources and
other services, because they block "EU" users 451 to avoid any "trouble".

Don't get me wrong here - i'm a huge fan of personal data security in the
meaning of informational self determination and encryption is (only) one
important tool for - but this law works vice versa / abusive in reality.
There are many options for Email users to "secure" their Email against what
they want (we know, there is no "100% secure against anything...") - i.e. by
deciding for any kind of security-granting provider, (foreign) VPN services
or by really end-to-end encrypt their stuff with PGP or S/MIME.

> Thats also the reason, why you have
> to use https with contact forms in websites since 2016 ) that users "know they are secure without to check byself that the lock
is closed" - while that's not true (but the business principle mof the BA CA
"mob" until today). Which user is checking only one Certificate Path in

just my .02$,


Niels Dettenbach
Syndicat IT & Internet