- From: Jeffrey Walton <noloader@gmail.com>
- Date: Tue, 25 Mar 2014 19:07:57 -0400
- To: James Marshall <james@jmarshall.com>
- Cc: Ryan Sleevi <sleevi@google.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
On Tue, Mar 25, 2014 at 6:52 PM, James Marshall <james@jmarshall.com> wrote: > On Tue, Mar 25, 2014 at 2:24 PM, Ryan Sleevi <sleevi@google.com> wrote: >> ... >>> ... For example, I'd like >>> to see a webmail site with full end-to-end encryption, without making us >>> trust the server at all. CSP helps, but is not a full solution. >> >> No. This is impossible. This is not a valid threat, and not something in >> scope for this WG. > > Well, fair enough if it's not in scope, but I think it leaves a significant > problem unaddressed. Is secure webmail impossible then?... Yes. The problem is in the protocol, not in the implementations. You can't fix the architectural defects without breaking the existing protocol. You need a new protocol. That's why folks like Silent Circle abandoned support for email. Its literally impossible to secure. Jeff
Received on Tuesday, 25 March 2014 23:08:28 UTC