Re: security of a client-side JS API?

That doesn't really help for anything non-real-time.  For example, offline delivery for XMPP or similar.

There's also a fair bit of overhead involved in setting up that channel.


On Nov 1, 2012, at 11:24 AM, Eric Rescorla <ekr@rtfm.com> wrote:

> As Zooko says, WebRTC provides a mechanism for establishing an
> end-to-end cryptographically protected data channel (for those who
> care, SCTP over DTLS. These channels can be created and accessed by
> JS.
> 
> In terms of implementation status, this "datachannel" functionality is
> available in the current Firefox Aurora build (though this it's kind
> of a hard-hat area) and under active development for Chromium. (Though
> Chrome's WebRTC implementation is generally further along).
> 
> -Ekr
> 
> 
> On Thu, Nov 1, 2012 at 11:08 AM, Zooko Wilcox-OHearn
> <zooko@leastauthority.com> wrote:
>> On Wed, Oct 31, 2012 at 5:54 PM, Arthur D. Edelstein
>> <arthuredelstein@gmail.com> wrote:
>>> 
>>> If you have any hints on who in W3C might be working on a proposal for an end-to-end encryption standard for the browser, I'd be very grateful! I haven't found it yet. :)
>> 
>> I too would be very interested in this. Please let me know what you
>> find. The relevance to *this* working group would be that this would
>> be a use case which the WebCrypto API might be able to support. You
>> might want to start by looking at WebRTC and asking people who work on
>> that standard. It provides end-to-end connectivity, and I believe it
>> comes with a Diffie-Hellman key exchange built in. So some of the hard
>> parts of developing secure e2e connections are already done by WebRTC!
>> And, WebRTC is already pretty far along in being implemented and
>> deployed.
>> 
>> https://en.wikipedia.org/wiki/WebRTC
>> 
>> Regards,
>> 
>> Zooko Wilcox-O'Hearn
>> 
>> Founder, CEO, and Customer Support Rep
>> 
>> https://LeastAuthority.com
>> 
> 
>

Received on Thursday, 1 November 2012 13:14:23 UTC