Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam

[Geoffrey Irving]

On Sep 10, 2013, at 5:06 PM, Christoph Anton Mitterer <address@hidden> wrote:

> On Sun, 2013-09-08 at 13:05 -0700, Geoffrey Irving wrote: 
>>>   http://naml.us/trust
> Should that be a "live demo"? It doesn't work here with FF 23.

Yes, ideally it would work, but openpgp.js does require a fairly new browser.  
It works fine for me on FF 23.0.1, though.  You might try reloading the page: 
there's currently a delay as my CORS proxy server starts back up after going 
idle.

>> Here's candidate patch implementing CORS.
> Do you see any chances to implement all that without requiring remote
> code/content (and thus CORS)?

You could certainly ask people to drag a pubring.gpg onto the webpage instead, 
but part of the goal is to visualize public keyserver data without requiring 
people to install gpg first.  I'm not sure what you mean by "remote code": the 
only remote code here is from naml.us/trust itself (currently it accesses d3, 
but that will change soon).  I'm completely onboard with not trusting 
javascript code for security, by the way, which is part of why I'm hoping to 
only access public data and not ask people to input any secret keyring 
information.

> I guess many people will not really like that and some security
> frameworks (things like NoScript) may block it anyway.

Yep, that's why I'm asking if there are specific keyserver hosts okay with this 
kind of application.  NoScript is unrelated: it's about the client, not the 
server.  If enabling CORS would damage the security of a keyserver or a client 
using a keyserver, it would mean that either (1) keyservers are storing private 
information as cookies on client machines or (2) non-javascript code on other 
machines can exploit the same vulnerabilities.

Of course, if you have NoScript on, that would explain why it doesn't work for 
you.

Geoffrey

signature.asc
Description: Message signed with OpenPGP using GPGMail