[whatwg] meta="encrypt" tag is needed

On Thu, May 6, 2010 at 8:44 AM,  <juuso_html5 at tele3d.net> wrote:
> <meta="encrypt" pubkey="ABABAEFEF2626EFEFEF"
pubtool="EC256-AES|RSA2048-AES"
> passsalt="no|domainname" auth="verisign">
>

I see a few shortcomings in this approach:
a) each document is encrypted asymmetrically, affecting performance.
b) there is no management of keys (expiration, revocation, trust, etc).
c) the values for the pubtool attribute (encryption algorithm) will need to
be spec'd, slowing the deployment of new encryption algorithms (or better
techniques altogether).
d) how to handle XMLHttpRequests? how to handle XHRs receiving JSON or text?
e) information from the UA to the server is plaintext (e.g.,
logon/passwords).  If, instead, authentication relies only on possession of
the user's private key; then, any human can sit at the user's console and
automatically authenticate to all HTTP servers.

I'd prefer a radically different approach (TLS = out of scope).

Frank Migacz
Technical Instructor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100507/38210303/attachment.htm>

Received on Friday, 7 May 2010 07:44:38 UTC