Re: [Sks-devel] Encrypt.to searching for beta users

[John Clizbe]

Kristian Fiskerstrand wrote:
> Granted this whole discussion probably belongs somewhere else, but
> since we're first on the topic, let me chime in my two cents.
> 
> First of all, any encryption done in a browser will at least have to
> be done in a browser extension that does not auto-update. One thing is
> whether one trusts a service today, but if tomorrow some completely
> different JS can be injected (or only injected based on e.g. IP
> address, or other identifiers for a specific user, which we have seen
> some cases of) then it can't be trusted.

BIG ACK

> Second, key validation. Your friends (or friends of anyone using the
> service) would have to carry along a phone-book of fingerprint, key
> types and sizes for each recipient. Other than the short key ID I
> don't see anywhere where this website provide information useful for
> key verification procedures.Not even after encryption; What happens if
> there is a short keyid collision? and is there a way to verify the
> structure of the encrypted message before sending? (similar to gnupg's
> --list-packets)

For example: https://encrypt.to/0xDEADBEEF comes to mind right away.

How does the code handle keys with multiple email addresses? Does it mail-bomb
them all?

NB: Those wishing to try the code and query their own keyserver need to be
running my latest trunk. The patch adding the header that OpenJS needs to be
able to query keyservers is still sitting in a pull request for Yaron.

-John

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:address@hidden

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

signature.asc
Description: OpenPGP digital signature