Re: Smart Card support. Re: Request for feedback: DOMCrypt API proposal

On Fri, Jun 10, 2011 at 2:24 PM, David Dahl <> wrote:
>> IMHO, this is a rather odd value proposition:
>> The server is supposed
>> to provide JS-code for the client to encrypt data so that the server
>> can't
>> see it. Yes, cloud-storage services do this but they provide a lot
>> more than just a crypto API.
> On the contrary.
> The point is that the crypto is performed by your browser on the local machine - not by minimized server script or closed client apps of dubious value. Also, developers can write apps that use third-party APIs and services, but the plain text beomes cipher text, with the 3rd party having zero knowledge of the conversation, which is a main point of this API.
> Conversation, in general, has moved from email to web. In which case, a third-party always has a copy of your conversation.

Which reminds me of OTR.  But note that in the case of profile data
including credit card numbers the service has a very strong incentive
to store the data encrypted and do the crypto on the client-side:
civil liability, which is what overcomes my script trust issues.  The
same doesn't apply to private messaging, yet.


Received on Friday, 10 June 2011 19:36:10 UTC