[liberationtech] pgp message encryption and decrypion using just a browser

Wed Feb 9 10:57:57 PST 2011

Regarding the generateKeyPair() call, browsers have been able to generate
and store personal certificates from the client-side since the 90s. As an
example, Jeff Schiller (http://jis.qyv.name/) implemented strong client
authentication for MIT using browser-generated certificates. Students go
through a registration page (https://ca.mit.edu/ca/) which will install a
local SSL client certificate. The documentation on how to do this is slim. I
think MIT is using <keygen> for Firefox & Safari and ActiveX with CryptoAPI
for IE. Chrome does not support this as far as I know.

There is a proposal for including <keygen> in HTML5:
http://www.w3.org/TR/html-markup/keygen.html . This is a pretty good summary
of the state of keygen:
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080714/07ea5534/attachment.txt
. This
blog post from a couple years ago discusses some of the conflict over
including it in HTML5: http://blog.whatwg.org/this-week-in-html5-episode-35

However, one missing gap is that I think you can only use these key material
for SSL. As far as I know, you can't encrypt arbitrary blobs of data or
implement PGP. There is room for improvement, so I think you're on the right
track. I know that there has been some work on getting basic crypto API
calls like this into HTML5.

On Tue, Feb 8, 2011 at 3:48 PM, David Dahl <david at ddahl.com> wrote:

> I have been wanting to follow up on this thread, which means writing
> some code.:)
>
> I have distilled the 3 methods needed to construct any kind of
> PGP-like web application. My new extension, DOMCrypt, attaches a
> 'crypt' property to each web page giving Javascript developers
> crypt.generateKeyPair(), crypt.encrypt() and crypt.decrypt().
>
> All of the underlying crypto code is handled by NSS - the same library
> used for the SSL/HTTPS. This is not a 'native JS' solution. It is fast
> C code under the hood.
>
> See http://mozilla.ddahl.com/domcrypt/demo.html for a demo, the code
> is here: https://github.com/daviddahl/domcrypt
>
> Regards,
>
> David
>
> On Sun, Sep 26, 2010 at 6:21 AM, David Dahl <david at ddahl.com> wrote:
> > I have been experimenting with the JavaScript API for PKI that is
> > provided by Firefox Sync. The underlying bits are implemented in C++
> > (NSS), so it is pretty fast. I am slowly building up a toolkit for
> > messaging in a pseudo-anonymous fashion called "Droplettr" and am
> > looking for contributors. The entire thing is open source and is
> > designed to be  used like a protocol instead of a walled garden.
> >
> > Repo: http://bitbucket.org/daviddahl/droplettr/
> >
> > Site: https://droplettr.com/
> >
> > Things are in a state of brokenness at the moment, as this is a side
> > research project of mine.
> >
> > Regards,
> >
> > David
> >
> > On Sat, Sep 25, 2010 at 12:00 AM, Danny O'Brien <DObrien at cpj.org> wrote:
> >> This really isn't what you want Frank (at all!), but its bizarreness
> plus tangential connection to your question was too good to miss:
> >>
> >> http://www.links.org/?p=993
> >>
> >> It's TLS (including client-side certificates), re-implemented in
> in-browser Javascript. Ben's point is that such an implementation allows
> greater experimentation with security UI, which I think everyone agrees is
> the current Hard Problem.
> >>
> >> d.
> >>
> >> On Sep 23, 2010, at 11:08 PM, Frank Corrigan wrote:
> >>
> >>> For some time I have been investigating the availability of web pages
> >>> that provide easy to use password creation and message encryption
> >>> functions, which only depend upon web browsers inbuilt javascript
> >>> capabilities and can therefore be downloaded and used off line. And
> >>> works across all common OSs and browsers.
> >>>
> >>> Examples are
> >>> https://www.pwdhash.com
> >>> as one of many options for password creation
> >>>
> >>> and http://www.hanewin.net/encrypt/PGcrypt.htm
> >>> to encrypt messages using a recipients pgp Public key.
> >>>
> >>> The help I am requesting is whether anyone knows of an online resource,
> >>> that meets the above criteria, that can not only encrypt text using a
> >>> pgp Public key but also has a facility to decrypt a pgp message with
> the
> >>> recipients Private key?
> >>>
> >>> I am aware of FireGPG:
> >>> http://getfiregpg.org/s/home
> >>>
> >>> which is excellent, though sadly now discontinued, but it is tied to
> >>> Fire Fox through an add-on and it's functions are dependent upon a
> local
> >>> install of GPG.
> >>>
> >>> Thanks
> >>> Frank
> >>> _______________________________________________
> >>> liberationtech mailing list
> >>> liberationtech at lists.stanford.edu
> >>>
> >>> Should you need to change your subscription options, please go to:
> >>>
> >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>
> >> _______________________________________________
> >> liberationtech mailing list
> >> liberationtech at lists.stanford.edu
> >>
> >> Should you need to change your subscription options, please go to:
> >>
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>
> >
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110209/aab265c3/attachment.html>