On 10/21/2010 05:53 PM, Nelson B Bolyard wrote:
IMO, apart from the mundane technical issue of making hash and bignum
functions public, there are some bigger questions, such as:
- the wisdom of making Mozilla products even MORE dependent on shared
secrets and passwords than they already are, when, for at least a decade,
shared secrets in general and passwords in particular have been regarded
by security experts as more part of the problem than part of the solution.
Passwords suck, agreed.
But developers will code this stuff in Javascript anyway. By not
withholding those solid primitives which already exist someone has a
shot at making something that's not leaking through every imaginable
side-channel.
- Letting mozilla products become a playground for home-baked crypto
protocols. That's a gate you'll find difficult to close once it is
allowed to be opened.
Since when have Mozilla products not been a playground?
Who put up a gate in the first place anyway?
Would you really have app developers go elsewhere for bignums?
Do you really think it would inhibit anyone from baking with crypto?
I want my playground and Easy Bake crypto oven. Or, more precisely, it
bugs me that an open project like Mozilla would restrict tools on the
"too dangerous for mere mortals" principle.
<cheap_shot>
So if Mozilla's got such high standards on authentication and such, they
can put up even one add-on that doesn't say "(Author not verified)" in
my browser:
https://addons.mozilla.org/en-US/firefox/addon/15003/
https://addons.mozilla.org/en-US/firefox/addon/11950/
</cheap_shot>
- Marsh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
