Re: [dev] seif opinions?

2016-09-25 Thread Ben Woolley 

> On Sep 25, 2016, at 9:29 AM, Nick Warne  wrote:
> 
> On Sun, 25 Sep 2016 09:23:11 -0700
> Louis Santillan  wrote:
> 
> 
>> infrastructure player (like a bank {PayPal}...
> 
> Paypal isn't a bank.
> 

It operates multiple banks. It depends on the legal definition of where it is 
operating. It even now owns the bank that issues credit for PayPal Credit, so 
it is more than one type of bank. 

And they are certainly an infrastructure player, and is exactly the appropriate 
type of company for this example. 

> Nick
> -- 
> "Gosh that takes me back... or is it forward?  That's the trouble with
> time travel, you never can tell."
>-- Doctor Who "Androids of Tara"
>

Re: [dev] seif opinions?

2016-09-25 Thread Nick Warne 
On Sun, 25 Sep 2016 09:23:11 -0700
Louis Santillan  wrote:


> infrastructure player (like a bank {PayPal}...

Paypal isn't a bank.

Nick
-- 
"Gosh that takes me back... or is it forward?  That's the trouble with
time travel, you never can tell."
-- Doctor Who "Androids of Tara"

Re: [dev] seif opinions?

2016-09-25 Thread Louis Santillan 
On Sun, Sep 25, 2016 at 1:47 AM, Hiltjo Posthuma  wrote:
> On Sat, Sep 24, 2016 at 10:44:33PM -0700, Louis Santillan wrote:
>> Has anybody considered seif [0][1]?
>>
>> I disagree with the choice of nodejs & Qt, and the idea of capturing
>> entropy from microphone and camera are interesting but gameable. I
>> think the overall concept is viable.
>>
>> [0] (Repo) http://www.seif.place
>> [1] (Talk) https://www.oreilly.com/ideas/the-seif-project
>>
>
> Can you give a (brief) background information what the project does?

Sorry, not brief.

The talks, the code [0][1] and the lone protocol document [2] say it
best.  A little what like the HTTPSSH [3] Sylvain was describing but
prescriptive as to the technology stack.

Instead of HTTP or HTTPS (which is HTTP+TLS these days), replace the
negotiation of the HTTP protocol with a PKI style 2 packet handshake
over TCP that are in the form of JSON messages.  All future (also
encrypted JSON message) commands & responses are then processed using
nodejs client/servers.  Instead using a markup + stylesheets (or SVG
or VRML or XForm or etc or W3C crap standard) as the presentation
layer, specify & utilize Qt.  Lastly, to support eventual replacement
of the web (instead of wholesale replacement) create & support an open
browser plugin so that seif clients/servers can be ed &
utilized in the current set of web infrastructure.  A new
browser/client/mobile app is also supportable if a large
infrastructure player (like a bank {PayPal} or healthcare provider or
etc) can provide value through it.

The specification is so far very high level and client/server examples
are relatively new.  I would have leaned towards extending a gopher
protocol like solution.

What I like:
* Use of the PKI-style handshake for secure communication without CA
infrstructure
* Non-use of HTML/CSS
* The use of JSON as command response language (almost anything is an
improvement over HTTP though)
* Use of an actual GUI command set

What I dislike:
* The specification of nodejs
* The specification of Qt (I would have been ok even a new GUI lib but
understand that this is compromise of what's available)
* The invasive & prescriptive use of hardware for entropy collection
* The lack of unencrypted fallback for human readable messages & debugging
* The lack of a document mode (or text mode) vs. application mode


[0] https://github.com/paypal/seifnode
[1] https://github.com/paypal/seif-protocol/blob/master/examples/
[2] 
https://raw.githubusercontent.com/paypal/seif-protocol/master/doc/seifhandshake.html
[3] http://lists.suckless.org/dev/1609/30541.html

Re: [dev] https for suckless.org?

2016-09-25 Thread ilf 

Sylvain BERTRAND:

HTTPS CA concept is broken in itself, then adds unwanted complexity.


X.509 is bad design, but we can leave that for people that really don't 
know any different - and it's still better than unauthenticated 
cleartext.


Everyone else - the suckless crowd - can use certificate pinning.

--
ilf

Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
-- Eine Initiative des Bundesamtes für Tastaturbenutzung


signature.asc
Description: PGP signature

Re: [dev] seif opinions?

2016-09-25 Thread Hiltjo Posthuma 
On Sat, Sep 24, 2016 at 10:44:33PM -0700, Louis Santillan wrote:
> Has anybody considered seif [0][1]?
> 
> I disagree with the choice of nodejs & Qt, and the idea of capturing
> entropy from microphone and camera are interesting but gameable. I
> think the overall concept is viable.
> 
> [0] (Repo) http://www.seif.place
> [1] (Talk) https://www.oreilly.com/ideas/the-seif-project
> 

Can you give a (brief) background information what the project does?

-- 
Kind regards,
Hiltjo