Thanks John,

John Clizbe <>:

Kristian Fiskerstrand wrote:
Granted this whole discussion probably belongs somewhere else, but
since we're first on the topic, let me chime in my two cents.

First of all, any encryption done in a browser will at least have to
be done in a browser extension that does not auto-update. One thing is
whether one trusts a service today, but if tomorrow some completely
different JS can be injected (or only injected based on e.g. IP
address, or other identifiers for a specific user, which we have seen
some cases of) then it can't be trusted.


Second, key validation. Your friends (or friends of anyone using the
service) would have to carry along a phone-book of fingerprint, key
types and sizes for each recipient. Other than the short key ID I
don't see anywhere where this website provide information useful for
key verification procedures.Not even after encryption; What happens if
there is a short keyid collision? and is there a way to verify the
structure of the encrypted message before sending? (similar to gnupg's

For example: comes to mind right away.

How does the code handle keys with multiple email addresses? Does it mail-bomb
them all?

Good point, we need to improve :)

NB: Those wishing to try the code and query their own keyserver need to be
running my latest trunk. The patch adding the header that OpenJS needs to be
able to query keyservers is still sitting in a pull request for Yaron.

Which patch do you mean?


John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://  or

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

Sks-devel mailing list

Reply via email to