Re: [Social-discuss] PHP-Based GNU Social structure

[Carlo von Loesch]

| Ted Smith typeth:
| | We can do crypto in javascript; it'll be a pain, but a web UI can be
| | done securely.

Carlo von Loesch typeth:
| Wow, that would be quite a hack. The browser would thus be the
| keeper of our private keys? In what form, as a TLS client cert?

No wait. I can't imagine that to work out.
Let me paint a use case picture. Let's say I want to set up a
cryptographically private discussion page for a dozen people.

My browser needs to be able to generate a shared secret,
encode it for each of the 12 people using their respective
public keys, then send it to them.

Where the hell does the browser get the 12 public keys from
and how can I be sure they are truly the correct ones?

If it's my server sending me these useful items, how do I
know it hasn't been subpoenad to send me MITM versions of
the public keys?

Will I have to walk through my friends' certificates one
by one and check their fingerprints each time I set up a
discussion forum?

I can't figure out a way to make this work without at least
a terribly smart Firefox add-on.