- From: Nico Williams <nico@cryptonector.com>
- Date: Fri, 10 Jun 2011 14:35:46 -0500
- To: David Dahl <ddahl@mozilla.com>
- Cc: Anders Rundgren <anders.rundgren@telia.com>, public-web-security@w3.org, Jarred Nicholls <jarred@sencha.com>
On Fri, Jun 10, 2011 at 2:24 PM, David Dahl <ddahl@mozilla.com> wrote: >> IMHO, this is a rather odd value proposition: >> The server is supposed >> to provide JS-code for the client to encrypt data so that the server >> can't >> see it. Yes, cloud-storage services do this but they provide a lot >> more than just a crypto API. >> > On the contrary. > > The point is that the crypto is performed by your browser on the local machine - not by minimized server script or closed client apps of dubious value. Also, developers can write apps that use third-party APIs and services, but the plain text beomes cipher text, with the 3rd party having zero knowledge of the conversation, which is a main point of this API. > > Conversation, in general, has moved from email to web. In which case, a third-party always has a copy of your conversation. Which reminds me of OTR. But note that in the case of profile data including credit card numbers the service has a very strong incentive to store the data encrypted and do the crypto on the client-side: civil liability, which is what overcomes my script trust issues. The same doesn't apply to private messaging, yet. Nico --
Received on Friday, 10 June 2011 19:36:10 UTC