Re: [Sks-devel] javascript web of trust visualization: CORS and keyserve

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] javascript web of trust visualization: CORS and keyserve

From:	Geoffrey Irving
Subject:	Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam
Date:	Tue, 10 Sep 2013 17:41:39 -0700

On Sep 10, 2013, at 5:31 PM, Geoffrey Irving <address@hidden> wrote:

> On Sep 10, 2013, at 5:06 PM, Christoph Anton Mitterer <address@hidden> wrote:
> 
>> On Sun, 2013-09-08 at 13:05 -0700, Geoffrey Irving wrote: 
>>>>  http://naml.us/trust
>> Should that be a "live demo"? It doesn't work here with FF 23.
> 
> Yes, ideally it would work, but openpgp.js does require a fairly new browser. 
>  It works fine for me on FF 23.0.1, though.  You might try reloading the 
> page: there's currently a delay as my CORS proxy server starts back up after 
> going idle.
> 
>>> Here's candidate patch implementing CORS.
>> Do you see any chances to implement all that without requiring remote
>> code/content (and thus CORS)?
> 
> You could certainly ask people to drag a pubring.gpg onto the webpage 
> instead, but part of the goal is to visualize public keyserver data without 
> requiring people to install gpg first.  I'm not sure what you mean by "remote 
> code": the only remote code here is from naml.us/trust itself (currently it 
> accesses d3, but that will change soon).  I'm completely onboard with not 
> trusting javascript code for security, by the way, which is part of why I'm 
> hoping to only access public data and not ask people to input any secret 
> keyring information.

Quick clarification: by "secret keyring" information there, I was only 
referring to optionally hidden parts of the public keyring (which keys you have 
downloaded, their level of trusts), not any actual secret keys.  If you want to 
visualize the hidden stuff, don't use a public website.

Geoffrey

>> I guess many people will not really like that and some security
>> frameworks (things like NoScript) may block it anyway.
> 
> Yep, that's why I'm asking if there are specific keyserver hosts okay with 
> this kind of application.  NoScript is unrelated: it's about the client, not 
> the server.  If enabling CORS would damage the security of a keyserver or a 
> client using a keyserver, it would mean that either (1) keyservers are 
> storing private information as cookies on client machines or (2) 
> non-javascript code on other machines can exploit the same vulnerabilities.
> 
> Of course, if you have NoScript on, that would explain why it doesn't work 
> for you.
> 
> Geoffrey

signature.asc
Description: Message signed with OpenPGP using GPGMail

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] javascript web of trust visualization: CORS and keyserver spam, Geoffrey Irving, 2013/09/08
- Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam, Geoffrey Irving, 2013/09/08
  - Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam, Christoph Anton Mitterer, 2013/09/10
    - Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam, Geoffrey Irving, 2013/09/10
    - Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam, Geoffrey Irving <=

Prev by Date: [Sks-devel] [PATCH] add fingerprint line to machine readable output
Next by Date: Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
Previous by thread: Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam
Next by thread: [Sks-devel] Question about key hash calculation
Index(es):
- Date
- Thread