Have the user (sender) register and verify email

[chrisamanse]

While the current architecture definitely let's people who don't know PGP send encrypted messages, it doesn't let the recipient verify the sender's identity.

One solution for this is to have the sender signup and verify their email. This way, hawkpost can also restrict access of the links/boxes to selected users.

[dethos]

Agree, this is an important additional feature. We just have to figure out, what is the way that implements that verification and adds a little friction as possible.

[pdcribeiro]

I thought about this for a bit. What about something like this, @dethos?

• When recipient creates box, there's a checkbox option to restrict the box to verified users
• When sender opens restricted box URL
  • Sees box submission page if:
    1. user is logged in
    2. or URL contains valid OTP
  • Otherwise, sees restricted page asking to:
    1. login/register
       • user sees login/register modal
    2. or receive an OTP
       • user sees 'get OTP' modal
       • inputs email
       • receives email with box URL along with OTP
       • opens URL
       • sees box submission page

[dethos]

Sounds good

While we figure out the details for the OTP flow, we could start with the simpler approach of allowing the owner of the box to require "login" for submitting to a given box. This would also turn the optional feature of including the sender's email address in the Reply-To "header" into a required one.