For example: Spymaster Alice wants info on Alliance A’s fleet composition/fittings. Spy Bob knows this info and agrees to give it to Alice.

Alice has, during signup, registered her public key with the service, and Bob uses the key to encrypt the message, after signing it with his key, which he also registered with the service.

If we assume that the operator, Eve, is trying to eavesdrop, Eve now needs both Bob and Alice’s private keys in order to alter the data, or just Alice’s key to read it. Eve’s control over the data assuming keys are not compromised is limited to sending or not sending the data between parties.

Of course, the problem then lies in making public/private key cryptography simple enough for the average EVE player, in a way that is still secure.

I think the only way to do this would be to provide an open source client to the website that ran on a user’s computer and managed the public/private key aspects (generation, signing, encryption). In fact, all the website needs to do is keep a register of users, their public keys, requests for information and responses given to that information. A small helper app that ran locally, responded to special links on the site (say I click ‘Respond’ on Alice’s offer; the website opens up the app and asks me to enter my response before signing and encrypting the response and POSTing it to the server), as long as the helper app is open source, would guarantee security between parties and ensure there is no eavesdropping by Eve.

Excellent Idea.