That's a good point... Perhaps a better solution is for them to be able to sign the public keys from the other sites to connect their profiles that way.

Thank you for your feedback. I can see now how a malicious system operator could steal the user's private key by modifying the JS.

He's talking about giving their public key, not the private key that has to remain on the user's device(s) under all circumstances.

The private key is stored in localStorage, but this is not the user's "real" private key which they might use for email, but a temporary device key, which can then be vouched either by admin or by user.

I'm not understanding how this works, then. Are you using the user's private key to somehow derive temporary device keys?

Generate a PGP key using in-browser JS. Use that key submitted posts.

Then, later, sign either the file hashes or the public key itself using actual secure PGP. This is optional.

I'm not claiming any level of security, this is all mostly UI prototyping.

Sorry, what do you mean by "Use that key submitted posts"?

> encouraging your users to give their private keys

I read it twice and still can't find the place where it was mentioned this to be the case.

I'm generating the keys in-browser for device-specific keys. I am not asking the users to provide their existing private keys, but I am storing the device keys in localStorage, because, where else?

The advanced users can then use their existing PGP keys to sign the device keys.

But this is not necessary in every environment, because in some situations, e.g. casual chat or internal boards, you don't need that kind of extended security, and temporary device keys, perhaps vouched by the operator, are sufficient.