Email-verifying key server

[lambdafu]

We need a simple, centralized key server that verifies email addresses, and allows to update and delete keys via the command line and web interface. Features are to be determined, but it should be very minimal:

• Probably only needs to store key and (hashed?) email address, and during transactions a session key. No password, all operations work like "I forgot my password" mechanisms on websites.
• Keys should fulfill some security requirements (freshness, expiration, etc).
• Good integration into neopg.
• Email verification by neopg command line or maybe even just a simple URL click. The registration key could be encrypted, but deletion can't be in case the key is lost. The most convenient would be to not require a full verification, and just allow the owner of the email address to set arbitrary keys.
• Some protection against crawling.
• If it stores email addresses in clear (rather than hashed), it can send reminder mails when the key is going to expire or becomes insecure. OTOH, not storing readable email addresses is a good idea.

Requires more thought, but we need to solve the problem of key retrieval in OpenPGP without repeating past mistakes. And although we want to support keybase.io, we don't want to put all eggs into one basket.

There is also autocrypt and pep for direct negotiation.

[lambdafu]

There is a discussion about publicly verifiable email addresses on keybase.io. Also see #20.

[lambdafu]

Seems to exist already: https://github.com/mailvelope/keyserver (Found via https://moderncrypto.org/mail-archive/messaging/2016/002217.html)