On Thu, Feb 21, 2013 at 5:49 PM, Nils Kenneweg <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Am 20.02.2013 17:40, schrieb Nick Jennings: > > > I do not agree with guys saying the browser is an unpredictable > environment. You always assume some part working correctly (OS most of > the times) so why not the browser? > > You can not verify the client source code on load easily, because you > have to load the verification code ... this leads to some kind of > chicken-egg problem. If you have loaded your verification code, who > tells you it was not tampered with. Of course you can use ssl or hope > that one day js code signing will be a possibility too but until then > as soon as you load one unsigned js file, there is no true verification. > > Regards, > Nils
Interesting points, and I think I agree with you. I was merely bringing up the opinion I've heard from others when I bring up the subject. I'm very happy the OpenPGP.js project is around. :) _______________________________________________ http://openpgpjs.org
