[GTP]

He's talking about giving their public key, not the private key that has to remain on the user's device(s) under all circumstances.

[forgotmypw16]

The private key is stored in localStorage, but this is not the user's "real" private key which they might use for email, but a temporary device key, which can then be vouched either by admin or by user.

[GTP]

I'm not understanding how this works, then. Are you using the user's private key to somehow derive temporary device keys?

[forgotmypw16]

Generate a PGP key using in-browser JS. Use that key submitted posts.

Then, later, sign either the file hashes or the public key itself using actual secure PGP. This is optional.

I'm not claiming any level of security, this is all mostly UI prototyping.

[GTP]

Sorry, what do you mean by "Use that key submitted posts"?