<br><br><div class="gmail_quote">On Tue, Oct 21, 2008 at 9:36 AM, Eduard Pascual <span dir="ltr"><<a href="mailto:herenvardo@gmail.com">herenvardo@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Tue, Oct 21, 2008 at 2:16 PM, Aaron Swartz <<a href="mailto:me@aaronsw.com">me@aaronsw.com</a>> wrote:<br>
</div><div class="Ih2E3d">> My proposal: add something to HTML5 so that the transaction looks like this:<br>
><br>
> Client: GET /login<br>
> Server: <html><form method="post" pubkey="/pubkey.key">...<br>
> Client: POST /login<br>
> dXNlcj1qb2VzbWl0aDAxJnBhc3N3b3JkPXNlY3JldA==<br>
> Server: 200 OK<br>
> Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d<br>
><br>
> where the base64 string is the form data encrypted with the key<br>
> downloaded from /pubkey.key. This should be fairly easy to implement<br>
> (for clients and servers), falls back to exactly the current behavior<br>
> on browsers that don't support it, and solves a rather important<br>
> problem on the Web.<br>
</div>What's the actual difference between this and https? Both mechanisms<br>
are using public-key encryption to protect the communications; the<br>
only difference being that with https the encryption is handled at the<br>
protocol level; while your suggestion would (currently) require to<br>
reinvent the wheel, encrypting the data on the client (maybe using<br>
JavaScript?) and then decripting it on the server (probably via<br>
server-side scripting).<br>
Maybe there is a good point on that suggestion, and I'm simply failing<br>
to see it. If that's the case, I invite you to enlighten me on it.<br>
</blockquote></div><br>I agree in general with the criticisms raised here, but I'll correct a small point in your post. The goal for this is to *not* require authors to do any client-side encrypting, but for the UAs to encrypt instead. It would then be the responsibility of the author to decrypt on the server side.<br>
<br>~TJ<br>