Seriously, requiring a PGP key during signup?? For buyers? Here's the problem: having an identifying key in your PGP keyring actually decreases security when the feds go to connect your account to a computer or identity. Most users do not practice proper keyring security. PGP is pretty useless for buyers anyway, as long as they encrypt their address.
Just adding more layers that look like security isn't security. What types of attacks are being prevented here anyway? Stolen accounts? Why not go the traditional PIN route like any other marketplace? Just makes no sense.
Edit1: Also, requiring a number in the password does not increase security. It actually reduces the bruteforce/dictionary keyspace if you exclude all passwords with <1 number.
Edit2: Also leaking platform information in headers: "Server: lighttpd/1.4.35" Coolio. I hope this is false flag info.
Edit3: Server is running PHP. Change your damn session ID variable name.
Requiring PGP during signup weeds out complete newbies. I like that. There are lots of OG vendors there that appreciate the smart buyers it attracts. Any OPSEC-minded buyer would know not to have their PGP key lying around in the open. And it explains why DHL has had zero disputes since launch, except one recent minor dispute in the last week if I'm not mistaken.