I'm sorry but aren't we spending a lot of time conflating code quality, secure coding practices, software distribution, .. with ~JavaScript in a browser~?
There are alternate pathways, signed and delivered as a Dashboard widget via the Apple App Store for example. I'm not proposing ~that~ as *wipes hands* and we're done. I'm just saying if you think the tool is useful and JavaScript is currently dominating a lot of areas (Gnome's shift is another place) - isn't it prudent to start developing the bullet list of how to make JavaScript applications acceptable for these tasks? Also - didn't Fabio and OpenPGPjs folks put a lot of time into consolidating and suggesting defensible JavaScript practices in various environments on various devices? Also also - there was a conjecture made that "The code signing system could require the signature of more than one entity. For example, it could require a signature from the web site owner as well as signatures from any number of reputable security auditing companies and security researchers." - but I'm not sure how this would work in operations practice. Thoughts on that? (Source: https://defuse.ca/web-browser-javascript-cryptography.htm) Anyhow, I'm not suggesting I like the nature of the project or any of this is a good idea - but a lot of the criticisms seem to hold ~everywhere~ with bad practice and not JavaScript itself. So I'm curious.. -Ali On Mon, Aug 12, 2013 at 5:04 PM, danimoth <danim...@cryptolab.net> wrote: > On 12/08/13 at 02:58pm, Francisco Ruiz wrote: >> Thanks for a thoughtful and extensive reply. Let me see if I'm >> understanding your position correctly. > > [snip, snip, snip] > >> So, trusting the OS but not trusting the browser seems to me a curious case >> of double standard. They are made by the same companies, after all. > > Trusting the browser in respect to trusting the OS implies adding a lot > more hypotesis on the stack, in order to define properties of your > software. To be clear, trusting the browser strictly contains > trusting the OS, and in my humble point of view, if I need to choose, > I choose fewer hypotesis. In my rescue, there is the fact that actually > *no state-of-art solutions* exists for web cryptography (is that word > right? or it is a no-sense?). To reach this point, proposals should be > made, and yours is one approach to evaluate, but (personally) I don't > like selling advertisement based on nothing. > > In conclusion, if you really trust IE x.0 to execute your code, > you're welcome; I generally don't trust it even for viewing > web sites :-) > > Users at this point have a lot of resources to check to make their own > opinion, I'm feeling fine with myself. > > Have a nice day > -- > Liberationtech is a public list whose archives are searchable on Google. > Violations of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
