- From: Arthur D. Edelstein <arthuredelstein@gmail.com>
- Date: Thu, 1 Nov 2012 08:39:38 -0700
- To: Eric Rescorla <ekr@rtfm.com>
- Cc: Zooko Wilcox-OHearn <zooko@leastauthority.com>, Ryan Sleevi <sleevi@google.com>, public-webcrypto-comments@w3.org
Hi All, On Thu, Nov 1, 2012 at 3:24 AM, Eric Rescorla <ekr@rtfm.com> wrote: > As Zooko says, WebRTC provides a mechanism for establishing an > end-to-end cryptographically protected data channel (for those who > care, SCTP over DTLS. These channels can be created and accessed by > JS. Thanks for the suggestion about WebRTC. Please forgive my ignorance -- if the WebRTC data channels can be accessed by client-side JS, doesn't that mean that messages can be read by the web app launching the channel? My concern is that browsers currently provide nothing out-of-the-box for users who want encrypted communications that cannot be read by a web app provider. This situation has resulted in a rampant online privacy problem, as I'm sure everyone here is very aware. Many users are going to perhaps have difficulty understanding the nuance that the WebCrypto API doesn't give stronger privacy protections than existed before. So I'm struggling to see the benefits of a new crypto functionality for web apps that may require users to make new security decisions (such as providing keys or signing documents). Best regards, Arthur
Received on Thursday, 1 November 2012 15:40:05 UTC