Search Mailing List Archives
[liberationtech] pgp message encryption and decrypion using just a browser
steveweis at gmail.com
Wed Feb 9 10:57:57 PST 2011
Regarding the generateKeyPair() call, browsers have been able to generate
and store personal certificates from the client-side since the 90s. As an
example, Jeff Schiller (http://jis.qyv.name/) implemented strong client
authentication for MIT using browser-generated certificates. Students go
through a registration page (https://ca.mit.edu/ca/) which will install a
local SSL client certificate. The documentation on how to do this is slim. I
think MIT is using <keygen> for Firefox & Safari and ActiveX with CryptoAPI
for IE. Chrome does not support this as far as I know.
There is a proposal for including <keygen> in HTML5:
http://www.w3.org/TR/html-markup/keygen.html . This is a pretty good summary
of the state of keygen:
blog post from a couple years ago discusses some of the conflict over
including it in HTML5: http://blog.whatwg.org/this-week-in-html5-episode-35
However, one missing gap is that I think you can only use these key material
for SSL. As far as I know, you can't encrypt arbitrary blobs of data or
implement PGP. There is room for improvement, so I think you're on the right
track. I know that there has been some work on getting basic crypto API
calls like this into HTML5.
On Tue, Feb 8, 2011 at 3:48 PM, David Dahl <david at ddahl.com> wrote:
> I have been wanting to follow up on this thread, which means writing
> some code.:)
> I have distilled the 3 methods needed to construct any kind of
> PGP-like web application. My new extension, DOMCrypt, attaches a
> crypt.generateKeyPair(), crypt.encrypt() and crypt.decrypt().
> All of the underlying crypto code is handled by NSS - the same library
> used for the SSL/HTTPS. This is not a 'native JS' solution. It is fast
> C code under the hood.
> See http://mozilla.ddahl.com/domcrypt/demo.html for a demo, the code
> is here: https://github.com/daviddahl/domcrypt
> On Sun, Sep 26, 2010 at 6:21 AM, David Dahl <david at ddahl.com> wrote:
> > provided by Firefox Sync. The underlying bits are implemented in C++
> > (NSS), so it is pretty fast. I am slowly building up a toolkit for
> > messaging in a pseudo-anonymous fashion called "Droplettr" and am
> > looking for contributors. The entire thing is open source and is
> > designed to be used like a protocol instead of a walled garden.
> > Repo: http://bitbucket.org/daviddahl/droplettr/
> > Site: https://droplettr.com/
> > Things are in a state of brokenness at the moment, as this is a side
> > research project of mine.
> > Regards,
> > David
> > On Sat, Sep 25, 2010 at 12:00 AM, Danny O'Brien <DObrien at cpj.org> wrote:
> >> This really isn't what you want Frank (at all!), but its bizarreness
> plus tangential connection to your question was too good to miss:
> >> http://www.links.org/?p=993
> >> It's TLS (including client-side certificates), re-implemented in
> greater experimentation with security UI, which I think everyone agrees is
> the current Hard Problem.
> >> d.
> >> On Sep 23, 2010, at 11:08 PM, Frank Corrigan wrote:
> >>> For some time I have been investigating the availability of web pages
> >>> that provide easy to use password creation and message encryption
> >>> capabilities and can therefore be downloaded and used off line. And
> >>> works across all common OSs and browsers.
> >>> Examples are
> >>> https://www.pwdhash.com
> >>> as one of many options for password creation
> >>> and http://www.hanewin.net/encrypt/PGcrypt.htm
> >>> to encrypt messages using a recipients pgp Public key.
> >>> The help I am requesting is whether anyone knows of an online resource,
> >>> that meets the above criteria, that can not only encrypt text using a
> >>> pgp Public key but also has a facility to decrypt a pgp message with
> >>> recipients Private key?
> >>> I am aware of FireGPG:
> >>> http://getfiregpg.org/s/home
> >>> which is excellent, though sadly now discontinued, but it is tied to
> >>> Fire Fox through an add-on and it's functions are dependent upon a
> >>> install of GPG.
> >>> Thanks
> >>> Frank
> >>> _______________________________________________
> >>> liberationtech mailing list
> >>> liberationtech at lists.stanford.edu
> >>> Should you need to change your subscription options, please go to:
> >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >> _______________________________________________
> >> liberationtech mailing list
> >> liberationtech at lists.stanford.edu
> >> Should you need to change your subscription options, please go to:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> Should you need to change your subscription options, please go to:
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
> Should you need immediate assistance, please contact the list moderator.
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech