OpenPGP key verification + legal framework

Viktor ageyev at gmail.com
Mon Nov 5 21:37:01 CET 2018


On 05/11/2018 21:50, Wiktor Kwapisiewicz wrote:
> Have you considered an alternative approach to email verification? For
> example just sending an e-mail (probably encrypted) with a one-time
> verification link?

Yes, we considered this option. But we can not be sure that user uses 
secure email system, and this link can not be read by somebody else.

For now, using Google’s login system seems to be the most reliable and 
secure solution. Our backend works on Google App Engine, and thus we 
don’t have our own login-password system and, accordingly, it is 
impossible to crack it unless you hack Google. Yes, of course Google can 
find out the public certificates associated with Google accounts, but 
any other user in our system can do this.

> That way non-Google users wouldn't be excluded. 
 > (Actually this approach
 > would work for Google and non-Google users alike).

You can register a Google account with any email address. Simply, 
instead of creating an account on our service (another password that 
needs to be saved), you create an account on Google, or use an existing one.

It doesn't seem to me that every internet site should have its own 
separate login-password system, in most cases it is better to use the 
existing secure solution.

 > Sending an encrypted e-mail additionally verifies that the user controls
 > the key in question.

But you can easily send email with any address in 'from' field.
It does not mean you really control this email address.


Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net



More information about the Gnupg-users mailing list