<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">On Thu, May 6, 2010 at 8:44 AM, <<a href="mailto:juuso_html5@tele3d.net" style="color: rgb(17, 65, 112); ">juuso_html5@tele3d.net</a>> wrote:<br>
> <meta="encrypt" pubkey="ABABAEFEF2626EFEFEF" pubtool="EC256-AES|RSA2048-AES"<br>> passsalt="no|domainname" auth="verisign"><br>></span><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>
</span></div><div><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;">I see a few shortcomings in this approach:</span></font></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; border-collapse: collapse; ">a) each document is encrypted asymmetrically, affecting performance.</span></div>
<div><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;">b) there is no management of keys (expiration, revocation, trust, etc).</span></font></div><div>
<font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;">c) the values for the pubtool attribute (encryption algorithm) will need to be spec'd, slowing the deployment of new encryption algorithms (or better techniques altogether).</span></font></div>
<div><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;">d) how to handle XMLHttpRequests? how to handle XHRs receiving JSON or text?</span></font></div>
<div><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;">e) information from the UA to the server is plaintext (e.g., logon/passwords). If, instead, authentication relies only on possession of the user's private key; then, any human can sit at the user's console and automatically authenticate to all HTTP servers.</span></font></div>
<div><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></font></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; border-collapse: collapse; ">I'd prefer a radically different approach (TLS = out of scope).</span></div>
<div><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></font></div><div><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;">Frank Migacz</span></font></div>
<div><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;">Technical Instructor</span></font></div>