- From: Jeffrey Walton <noloader@gmail.com>
- Date: Tue, 25 Mar 2014 20:21:20 -0400
- To: James Marshall <james@jmarshall.com>
- Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
On Tue, Mar 25, 2014 at 8:13 PM, James Marshall <james@jmarshall.com> wrote: > ... > I've been assuming someone could use a browser (i.e. the security program in > this case) from a different source than the webmail provider. For completeness, you can avoid the (un)trusted distribution channel with side loading. Its a common case in enterprise, and does not rely on fetching Javascript from any old server on the web. > Also that key management is on the client side, and the > webmail provider never sees the private keys. I don't believe so. The US government broke similar with Hushmail with a backdoor'ed Java applet. It pre-dates the Snowden stuff. See, for example, Encrypted E-Mail Company Hushmail Spills to Feds, http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/. How the US's reach extended into Canada is a different story altogether.... Jeff
Received on Wednesday, 26 March 2014 00:21:47 UTC