DO Ideas 2

Allow PGP key registration for account verification.

The current verification method for accounts if you are unable to access the email on file is to email a picture of yourself with a legible government-issued ID. Not only is this inconvenient, but once you've done it once, it is no longer a safe method of verification for _any_ service ever again, as the email (and attachment) is plaintext and thus could be sniffed up and reused by any malicious user.

Allowing us to register our PGP public key and provide a URL to a keyserver to check for revocation would not only be a more convenient method of account verification, but would also be significantly more secure.

Such a method could even be used to automate verifications, as a human would no longer have to look at and deal with parsing a photo, but instead either the digital signature on the request is valid or not. Such verification would also work for both email and site-based messages (as you can sign the email, or clearsign a message and paste that in.)

  • Robert Klebes
  • Sep 11 2018
  • Attach files