On Sat, 30 Aug 2008 10:45:18 -0600 "Jack Moffitt" <[EMAIL PROTECTED]> wrote:
> > First, users of Javascript clients don't care about e2e security. > > Ugh. Wrong. Please don't make such sweeping generalizations. In a > few years most XMPP usage will probably be through JavaScript if > current trends continue. That will be a bad time for us all. > > > Second, can you start direct XMPP connections from Javascript at > > all? Ok, you could use some in-band connections and even employ > > some of the crypto stuff but... first applies. Lots of work for no > > real reason. > > BOSH exists and supports TLS. It's also widely implemented. > > > But if you really want it, the trust model won't work with > > Javascript anyway (you don't have access to local data). But the > > SAS method discussed earlier would work. > > You easily have access to local data if you use the Dojo framework, > Google Gears, or a small bit of Flash. This is not a problem in > reality. Users know that for true security they will have to jump > through extra hoops, and installing Gears is really not that large of > a hoop. Also, HTML5 will contain standardized local data storage as I > recall, so what you are talking about is a current browser limitation, > easily circumvented with current tools. This will not be the state of > the Web in five years. > > Also, what about Flash and Flex, both based on JavaScript? Each of > those has easy access to local storage and can even make direct XMPP > connections without BOSH. I wasn't talking about Javascript as the language. I was answering to your talk about browser-based javascript sandbox. > > jack. -- Web: http://www.pavlix.net/ Jabber & Mail: pavlix(at)pavlix.net OpenID: pavlix.net
