On 1/8/13 10:16 AM, Alex (via OpenPGP.js) wrote: > Dear all, > > Happy New Year. I think it's time to give the OpenPGP.js project a bit > more "love" in 2013. There are many items on the todo list - so let us > address the first ones: > > 1. Marketing: Which projects are currently using OpenPGP.js? I would > like to add links and logos to our web page. Also I just restarted to > use the Twitter account http://twitter.com/openpgpjs to retweet and > answer related posts. Anyone is welcome to join. Also I've created a > new simple logo (see attached). I'd be pleased to help with twittering on that topic. > > 2. Developing: It should be very easy for users to integrate the > library into their web pages and for developers to enhance the current > version. I think we can improve the current situation. So we also > might want to move this mailing list to another one with archive > support (btw: is a mailing list still an adequate perfect medium?)
Definitively that's a nice idea, we have a lots of knowledge sitting in our email client mailboxes. It maybe also nice to have someone doing some volunteering to hacks and patch email archives (i can upload all that i have to a dedicated imap account) so that we can have indexed all the knowledge on OpenPGP.js generated till know. > > 3. Security: There are a lot of discussions about the advantages and > drawbacks of using a JavaScript based OpenPGP library (within browsers > or not). We should write some sort of "summarized and syntetic" > (@naif: thanks.) Yeah, i means, we all know that the Javascript Encryption / Web Encryption topic is an "hot-topic" capable of stimulating the most senior-crypto-trolling . Because now there are many projects that are starting using OpenPGP.js, as OpenPGP.js group, i think we should try to provide a short assessment (like a table with bullet point to be flagged and/or described) to evaluate the "Security and Threat Model" of applications incorporating OpenPGP.js . Because we all know that, depending on how we use OpenPGP.js, how the application is delivered to the end-user (via web, as a plugin, as server app, as a desktop app) and how the encryption keys are delivered/selected (by the application itself, by looking up directly on key server, by a third party service, embedded within the app?) VERY different threat model will apply. So it maybe very interesting to try to make such a syntetic table/summary with which analyze existing applications using OpenPGP.js and keep maintained this syntetic threat-model-analysis of application's using it. What does the list think about that? It maybe a way to keep-off crypto-trolling and bring more transparency in real-use-case of javascript encryption stuff! -naif
_______________________________________________ http://openpgpjs.org
