- From: Frank Migacz <fmigacz@gmail.com>
- Date: Fri, 7 May 2010 09:44:38 -0500
On Thu, May 6, 2010 at 8:44 AM, <juuso_html5 at tele3d.net> wrote: > <meta="encrypt" pubkey="ABABAEFEF2626EFEFEF" pubtool="EC256-AES|RSA2048-AES" > passsalt="no|domainname" auth="verisign"> > I see a few shortcomings in this approach: a) each document is encrypted asymmetrically, affecting performance. b) there is no management of keys (expiration, revocation, trust, etc). c) the values for the pubtool attribute (encryption algorithm) will need to be spec'd, slowing the deployment of new encryption algorithms (or better techniques altogether). d) how to handle XMLHttpRequests? how to handle XHRs receiving JSON or text? e) information from the UA to the server is plaintext (e.g., logon/passwords). If, instead, authentication relies only on possession of the user's private key; then, any human can sit at the user's console and automatically authenticate to all HTTP servers. I'd prefer a radically different approach (TLS = out of scope). Frank Migacz Technical Instructor -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100507/38210303/attachment.htm>
Received on Friday, 7 May 2010 07:44:38 UTC