Open chrisamanse opened 7 years ago
Agree, this is an important additional feature. We just have to figure out, what is the way that implements that verification and adds a little friction as possible.
I thought about this for a bit. What about something like this, @dethos?
Sounds good
While we figure out the details for the OTP flow, we could start with the simpler approach of allowing the owner of the box to require "login" for submitting to a given box. This would also turn the optional feature of including the sender's email address in the Reply-To
"header" into a required one.
While the current architecture definitely let's people who don't know PGP send encrypted messages, it doesn't let the recipient verify the sender's identity.
One solution for this is to have the sender signup and verify their email. This way, hawkpost can also restrict access of the links/boxes to selected users.