> First, users of Javascript clients don't care about e2e security. Ugh. Wrong. Please don't make such sweeping generalizations. In a few years most XMPP usage will probably be through JavaScript if current trends continue.
> Second, can you start direct XMPP connections from Javascript at all? > Ok, you could use some in-band connections and even employ some of the > crypto stuff but... first applies. Lots of work for no real reason. BOSH exists and supports TLS. It's also widely implemented. > But if you really want it, the trust model won't work with Javascript > anyway (you don't have access to local data). But the SAS method > discussed earlier would work. You easily have access to local data if you use the Dojo framework, Google Gears, or a small bit of Flash. This is not a problem in reality. Users know that for true security they will have to jump through extra hoops, and installing Gears is really not that large of a hoop. Also, HTML5 will contain standardized local data storage as I recall, so what you are talking about is a current browser limitation, easily circumvented with current tools. This will not be the state of the Web in five years. Also, what about Flash and Flex, both based on JavaScript? Each of those has easy access to local storage and can even make direct XMPP connections without BOSH. jack.
