-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/09/2013 01:37 PM, ad...@pgpkey.org wrote: > Hi Stephan, > > Thanks for your feedback. That's right, the user needs to trust > the service. The toolchain is open source http://openpgpjs.org/ and > you can review the JS code. How does the "End" in end-to-end looks > like? Instead of using a mail plugin it's a website which runs JS > code in your browser. Clear a PGP user knows how to encrypt a > message on his PC, but if my non geek friends would like to send me > an encrypted message without knowing PGP, I provide them one link > and that's it. And how do you send an encrypted message without > your PC? :) > > Regards Jan > >
Granted this whole discussion probably belongs somewhere else, but since we're first on the topic, let me chime in my two cents. First of all, any encryption done in a browser will at least have to be done in a browser extension that does not auto-update. One thing is whether one trusts a service today, but if tomorrow some completely different JS can be injected (or only injected based on e.g. IP address, or other identifiers for a specific user, which we have seen some cases of) then it can't be trusted. Second, key validation. Your friends (or friends of anyone using the service) would have to carry along a phone-book of fingerprint, key types and sizes for each recipient. Other than the short key ID I don't see anywhere where this weebsite provide information useful for key verification procedures.Not even after encryption; What happens if there is a short keyid collission? and is there a way to verify the structure of the encrypted message before sending? (similar to gnupg's - --list-packets) - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Nil satis nisi optimum Nothing but the best is good enough -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSpbu0AAoJEAt/i2Dj7frj/C8P/3Ee8u7rUiO6TluwkBSCuksf jXBqMTPjYq+Z1OfBaolYnix9n779ADxk/E2OHdEbVGeoMUwwld2IQURVR3zWt4Mi CVDx9kwNlbm9FoMOR31fKwh5gbiGx4icmt/dbOeuiD6MjQL4MZIkp0QYvB3POzoQ fNGu0JdPcYFJ3V4NZxF+uuzqC4GcNaXcwNLJGPGeRUtVGZSDIo7uyRRTGOOkQtZS ifj52cYRvWUa3EomtaZjzP6j+KspOtj3QLtta8QOFiRt/+Jc8LVdQ/by9ykuWOtQ c3Kdcha5cigNzUIEvIneuYzKbXAnmZ7aFvoESx82QP5j3E+zgt7x+r3R3jYRy+qb /Ks9TDDl9cqVpBQ/Lrb78ubtNINpA6HWnY8b+x391kK5oi1swMHakDabiWT+8LIP rV2a3WDRCEiKUDpYZQZxtsUg4BTdw26TjRZ+ciEK8FiJQJAktltMu6Ou6NRcIKYA Eyyg3jEGglay7gcb6DrAgqSYIbBlmRryM095XeqNtU25XkJeBoavEB2kRQtqxu8G SEmjLc/J1inDBiBWTuor2/Wq/hEAa+YLBOfKOO5gD1n4S61sNYxoYI4382L8cDIO f6wMzx19soFZ9BJXk1vwPJ96YBwaObKCOjcRcDjuQK97ZPu7++kT6q9fqiWsPQug IgJGFzUqwOzN7P6ljzBm =/Yr+ -----END PGP SIGNATURE----- _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel