IETF Logo Mail Archive

Re: not really pgp signing in van

Martin Thomson <martin.thomson@gmail.com> Tue, 10 September 2013 18:47 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE88411E8101 for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 11:47:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.025
X-Spam-Level:
X-Spam-Status: No, score=-2.025 tagged_above=-999 required=5 tests=[AWL=0.575, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8MPsYHExcUM for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 11:47:30 -0700 (PDT)
Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) by ietfa.amsl.com (Postfix) with ESMTP id 534C821F9B7F for <ietf@ietf.org>; Tue, 10 Sep 2013 11:47:29 -0700 (PDT)
Received: by mail-wg0-f52.google.com with SMTP id m14so7053984wgh.19 for <ietf@ietf.org>; Tue, 10 Sep 2013 11:47:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fcCfmTm5dJpMY4PJqTcfPC/yXG0Y0M0HP6lzMsoFtns=; b=m4htrSpweKC93cjvB33WKE5DlKPQH1v0ErVax6E74zNEuD56rUWLPuXq7p4nB57bbj sHWx3bUsekexMBQtez1x+p65APr0fQLTBI4DaLUvavmelildKKfkwode96yDLcEuWB9F ukGEphVJAM4NCXXeOqEaksHQP2sRd6C5nx+yoM42JFmFiFY8xEyoTOSM2MPNrECI05+h mBlqgsIxKGK31tjqgZyTS+LGSmbENG8L9gRud8MruFUPgiewziBHTjlp21Wr3RmCfmXR vwF5ro2yjEFDO8WqDmKMsO1/S1jTCha8el6kDky1MnMo7wSlSHoYW98DESR4sUjgdwqQ E7Cg==
MIME-Version: 1.0
X-Received: by 10.180.82.164 with SMTP id j4mr14064770wiy.65.1378838847327; Tue, 10 Sep 2013 11:47:27 -0700 (PDT)
Received: by 10.194.28.39 with HTTP; Tue, 10 Sep 2013 11:47:27 -0700 (PDT)
In-Reply-To: <E2ECE63C-D8E4-4A5A-BEA3-295C027D0E71@nominum.com>
References: <20130910010719.33978.qmail@joyce.lan> <8D23D4052ABE7A4490E77B1A012B63077527E234@mbx-01.win.nominum.com> <alpine.BSF.2.00.1309092125360.34090@joyce.lan> <8D23D4052ABE7A4490E77B1A012B63077527E488@mbx-01.win.nominum.com> <CAMm+LwhZ9OKesZW+kFct5Gps6_JBzcNUUBQ-y5J21zMcxmL6EQ@mail.gmail.com> <241D1DD6-C096-49D6-A05B-33638846BF15@nominum.com> <CAMm+LwhhUzDX=AaJXSCkqJofHQ9ZiN11GmCw-reO0OPmNC4fyA@mail.gmail.com> <E2ECE63C-D8E4-4A5A-BEA3-295C027D0E71@nominum.com>
Date: Tue, 10 Sep 2013 11:47:27 -0700
Message-ID: <CABkgnnVmsOh0f=vHi7UR8ZJ0iFCoS0s9WigYJXBZAiMQTfg6RA@mail.gmail.com>
Subject: Re: not really pgp signing in van
From: Martin Thomson <martin.thomson@gmail.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
Content-Type: text/plain; charset="UTF-8"
Cc: John R Levine <johnl@taugh.com>, "<ietf@ietf.org>" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 18:47:37 -0000

On 10 September 2013 11:36, Ted Lemon <Ted.Lemon@nominum.com> wrote:
> So I run Javascript provided by Comodo to generate the key pair.   This means that my security depends on my willingness and ability to read possibly obfuscated Javascript to make sure that it only uploads the public half of the key pair.

It's actually far worse than that when you consider the inherent
mutability of JavaScript.

The WebCrypto API should go a long way to addressing your concerns though.

v2.23.0 | Report a Bug | By Email