- From: Chasen Le Hara <rendezvouscp@gmail.com>
- Date: Tue, 15 Jan 2008 22:54:19 -0800
- To: "public-html@w3.org" <public-html@w3.org>
- Message-Id: <D9F3B478-8481-4757-93AC-400576C77226@gmail.com>
On Jan 15, 2008, at 10:17 PM, "Preston L. Bannister" <preston@bannister.us > wrote: > On Jan 14, 2008 6:27 AM, Geoffrey Sneddon > <foolistbar@googlemail.com> wrote: > > On 11 Jan 2008, at 09:32, Preston L. Bannister wrote: > > > Folks, you are re-inventing the wheel, and repeating classic > mistakes. > > The problem is all existing solutions have minor issues, see below: > > > There is a lack. It is (or should be) possible to do secure logins > > across > > unencrypted channels. What is needed is access to an encryption > > library from > > Javascript. That would be outside to scope of the HTML > specification. > > ECMAScript cannot be the solution, for what is the purpose of > encrypting data from some UAs (those that support ECMAScript) and not > from those that don't? It creates additional complexity on the server > having to determine whether a field is encrypted or not (though, with > BC concerns, this would need to be done anyway). If we want to encrypt > data, it should be from all HTML 5 UAs, and not just the subset > thereof that support ECMAScript. > > Is a UA that does not support Javascript viable? I suspect the > answer is "not". It's not any less viable than a UA that allows ECMAScript to be turned off.
Received on Thursday, 17 January 2008 07:26:54 UTC