On 8 April 2015 at 13:36, Christoph Anton Mitterer
<calestyo(_at_)scientia(_dot_)net> wrote:
On Wed, 2015-04-08 at 15:32 +0000, David Leon Gil wrote:
Brief update on plans for deprecation: The tracking issue is at
https://github.com/yahoo/end-to-end/issues/31
Please feel free to open another issue if you have specific
objections. I will either be convinced by your arguments, and change
the plan, or explain why I don't.
Look, as I've pointed out previously, I personally think that crypto,
done as a web app is inherently untrustworthy.
Maybe I just got something wrong, but AFAIU the idea of "e2e" projects
like your's is to add e2e crypto into your webapps, e.g. via javascript.
Thus the software doing crypto is each time downloaded again from the
server by the client, right?
No. Most (and by most I mean the more high-profile ones that try to do
it as correct as possible[0]) have moved virtually all operations into
a browser extension. It is downloaded and installed once, updated
based on how the browser updates extensions, and (for better or worse)
mediates through a third party (the browser's add store) to prevent
individual targeting of users by the plugin author.
So ultimately control is again fully at the vendor (at any time he could
send other code and no one would notice), and fully dependent on a
working https (which is as we should all know by now inherently insecure
due to the issues of the CA system).
No, as above, and regarding the CA system - Which itself is addressed
by some projects and services using HPKP.
On 10 April 2015 at 11:46, ianG <iang(_at_)iang(_dot_)org> wrote:
Look, as I've pointed out previously, I personally think that crypto,
done as a web app is inherently untrustworthy.
Which is out of scope for this list, right?
Agreed. But I feel compelled to correct factual inaccuracies.
I saw no such implication. I personally appreciate it when vendors actually
do tell us what they are doing when that effects the way many users are
going to be using the product. In our fishbowl, we sometimes lack the
context of what happens out in the field, so news of that nature - hopefully
concise and clear - is welcome. To me at least.
Double agreed. I wouldn't want a working group to be an -announce
list of product releases, but since I literally found a completely new
OpenPGP plugin yesterday (gpg4o), I'm happy to read concise reports on
how different plugins/tools operate at the standard layer, and that
nebulous 'above-standard' layer like PGP/MIME quirks. One day one of
them may help me figure out how my Outlook server is broken wrt to
mac's gpgtools and some-but-not-all other PGP clients.
-tom
[0] Yahoo and Google's E2E, CryptoCat, Mailvelope
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp