On Thu, May 6, 2010 at 8:44 AM, <[email protected]> wrote: > <meta="encrypt" pubkey="ABABAEFEF2626EFEFEF" pubtool="EC256-AES|RSA2048-AES" > passsalt="no|domainname" auth="verisign"> >
I see a few shortcomings in this approach: a) each document is encrypted asymmetrically, affecting performance. b) there is no management of keys (expiration, revocation, trust, etc). c) the values for the pubtool attribute (encryption algorithm) will need to be spec'd, slowing the deployment of new encryption algorithms (or better techniques altogether). d) how to handle XMLHttpRequests? how to handle XHRs receiving JSON or text? e) information from the UA to the server is plaintext (e.g., logon/passwords). If, instead, authentication relies only on possession of the user's private key; then, any human can sit at the user's console and automatically authenticate to all HTTP servers. I'd prefer a radically different approach (TLS = out of scope). Frank Migacz Technical Instructor
