Re: [GNU/consensus] PGP as web standard

consensus

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU/consensus] PGP as web standard

From:	Guido Witmond
Subject:	Re: [GNU/consensus] PGP as web standard
Date:	Thu, 11 Dec 2014 11:54:54 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.2.0

On 12/11/14 03:13, senya wrote:
> Hello!

> 
> So we need the software to be received from trusted source. Just like we
> receive browser from the repositories of our GNU/Linux system, which are
> trusted and have some ways to prove the software was not modified.

Indeed.


> We could use browser extensions to implement end-to-end encryption, but
> they hardly can be convenient, because they will always lack some
> important information, for example information on your recipient, that
> could be received only with the help of the website. This information is
> required to implement such useful things as automatic key selection for
> the recipient.

Indeed.


> So the problem of end-to-end encryption in web-based software requires
> that browser interacts with the website receiving required information,
> but all the software that does the encryption loads from the computer of
> user, not from the Internet at web site load time.

Indeed.


> All that led me to the idea, that implementation of end-to-end
> encryption in web technologies should be a part of web standard, so the
> rules of interactions between website and browser encryption module is
> defined strictly. For example, it could be defined as special kind of
> forms, that is filled by user with unencrypted text, but when you submit
> the form, browser really sends it PGP encrypted using key, that is
> determined by the context (you are in a web chat with certain
> recipients). This also can help in providing some extra security for
> this text blocks, because browser could isolate unencrypted text from
> any javascript, that may want to read it.

That's what I've designed and prototyped, except for PGP and Javascript
:-) I avoid all the accumulated cruft of those programs and implement it
on top of TLS and private CAs, one for each website.


> So, here is my question to you, as a social networking project members.
> Have you ever though of necessity of realizing end-to-end encryption as
> part of web standard? Do you think it is possible to push? Maybe it is
> nevertheless possible to implement end-to-end encryption with some
> javascript using some extra security and isolation measures? Or maybe
> you have some other ideas how to implement it, that I didn't think of?

Take a look at Eccentric Authentication.

Please read:

http://eccentric-authentication.org/blog/2012/10/23/a-blog-site.html
http://eccentric-authentication.org/blog/2013/06/07/run-it-yourself.html

Or read :

http://eccentric-authentication.org/blog/2014/11/30/spot-the-differences.html
and: http://eccentric-authentication.org/Usable-Security.pdf

With regards, Guido Witmond.
eccentric-authentication.org

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[GNU/consensus] PGP as web standard, senya, 2014/12/11
- Re: [GNU/consensus] PGP as web standard, Guido Witmond <=
  - Re: [GNU/consensus] PGP as web standard, senya, 2014/12/11
- Re: [GNU/consensus] PGP as web standard, carlo von lynX, 2014/12/29
  - Re: [GNU/consensus] PGP as web standard, senya, 2014/12/29

Prev by Date: [GNU/consensus] PGP as web standard
Next by Date: Re: [GNU/consensus] PGP as web standard
Previous by thread: [GNU/consensus] PGP as web standard
Next by thread: Re: [GNU/consensus] PGP as web standard
Index(es):
- Date
- Thread