On Tue, Mar 10, 2009 at 9:01 AM, Brian Candler <[email protected]> wrote: > Inventing new cryptosystems is dangerous. Why not an OpenPGP armored > detached signature? > > {"hello":"world","signature":"-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG > v1.4.6 > (GNU/Linux)\n\niD8DBQBJto4vlKln0Ovw7PARAlipAJ4tFqpJRikySLnynzbe6XxzIQ2PnACgipzl\n7qRjToRgvNXLdSEQ1V+aJEQ=\n=ykd/\n-----END > PGP SIGNATURE-----\n"} > > Or else a binary detached signature, base64-encoded. >
I found two candidate JS libs for doing the public key crypto in the browser: http://github.com/starpeak/protocrypt/tree/master MIT licensed but depends on Prototype. Should be easy to fix. Incomplete - I think it only does decrypt. Code quality looks fine. http://www.hanewin.net/encrypt/ GPL, more feature complete, less browser-centric. Overall more ready-to-go. Not sure I want to find out the hard way what happens when you start mixing GPL code into applications that blur the boundary between client and server. Maybe it doesn't matter, maybe it's a pain. Anyone else have other leads? -- Chris Anderson http://jchris.mfdz.com
