Identity verification for Ebay!

If you’re lucky enough to look under 21 we may have to ask for proof of your age.

That’s how stores like Sainsbury and Tesco tell their shoppers that if they’re trying to buy alcohol and look under 21 the cashier will ask them for a valid document as proof of their age.

Last year I decided to sell my PSP on Ebay! I paid the fee and put up the auction. Long story short I was almost scammed into selling my PSP to a Nigerian who commandeered an American account and sent me some brilliantly realized fake PayPal payment emails.

Luckily the real account owner noticed and alerted me on time otherwise it was goodbye PSP and money. Yes, I know, I’ve been stupid and didn’t check the payment emails properly, but it was a very well reputed account (on Ebay!) and I trusted it implicitly.

So here’s what I’d like to have and couldn’t find anywhere on the net. A very simple and small website providing an identity verification service for Ebay! users. Could be based on GPG and would ideally work this way:

1. When a user signs up on the service a GPG key pair is created for him and the date of the creation is recorded
2. The private GPG key is sent armored to the user email address.
3. The user will also be given some HTML code to generate widgets in their Ebay! auction pages which will display a simple “Verify” button and the date the user signed up on the service

Now whenever I’m interested in an item I can verify the identity of the seller in the following way:

1. Click on the “Verify” link on the widget
2. The system will send a message (random number or something) encrypted with that user’s GPG public key to their email address
3. The user will have to decrypt (maybe with a small really simple application) the message and enter the code provided in the email on a page in the system.
4. The seller will also be asked whether he wants to verify the buyer identity or not
5. The system will send an email to the buyer confirming the seller’s identity (or not) and eventually asking the buyer to verify their identity

The date the account was created in the verification system is very important at this stage because you may not want to trust completely a key created the very same day of the auction.

I know the idea is a bit blurry and definitely has some loopholes, but I’m confident that they can all be closed and security risks minimized.

Do you know of any system like this on the net? If not please create it! I love Ebay! but I’m tired of having to spend days in a state of total distress and anxiety every time I sell or buy something!