1. Check if encryption subkey is available. If it is, follow the standard flow in place already
2. Send a token URL to the email address (similar to how we validate emails currently)
3. Include in that email the message that we expect to get a clearsigned token to validate the message. Anyone capable of creating a signing-only key will know what that means and how to do it.
4. On the token confirmation page, expect the user to provide their launchpad password and to paste into a textarea the token clearsigned with the key we're trying to validate.
The workflow would essentially be:
1. Check if encryption subkey is available. If it is, follow the standard flow in place already
2. Send a token URL to the email address (similar to how we validate emails currently)
3. Include in that email the message that we expect to get a clearsigned token to validate the message. Anyone capable of creating a signing-only key will know what that means and how to do it.
4. On the token confirmation page, expect the user to provide their launchpad password and to paste into a textarea the token clearsigned with the key we're trying to validate.