OpenPGP key verification + legal framework
ageyev at gmail.com
Mon Nov 5 21:37:01 CET 2018
On 05/11/2018 21:50, Wiktor Kwapisiewicz wrote:
> Have you considered an alternative approach to email verification? For
> example just sending an e-mail (probably encrypted) with a one-time
> verification link?
Yes, we considered this option. But we can not be sure that user uses
secure email system, and this link can not be read by somebody else.
For now, using Google’s login system seems to be the most reliable and
secure solution. Our backend works on Google App Engine, and thus we
don’t have our own login-password system and, accordingly, it is
impossible to crack it unless you hack Google. Yes, of course Google can
find out the public certificates associated with Google accounts, but
any other user in our system can do this.
> That way non-Google users wouldn't be excluded.
> (Actually this approach
> would work for Google and non-Google users alike).
You can register a Google account with any email address. Simply,
instead of creating an account on our service (another password that
needs to be saved), you create an account on Google, or use an existing one.
It doesn't seem to me that every internet site should have its own
separate login-password system, in most cases it is better to use the
existing secure solution.
> Sending an encrypted e-mail additionally verifies that the user controls
> the key in question.
But you can easily send email with any address in 'from' field.
It does not mean you really control this email address.
More information about the Gnupg-users