On 15/08/07, Frederik Dohr <fdg001(a)gmx.net> wrote:
What's
your plan for communicating keys? You are likely to just move
the security issues from the articles themselves to the keys, which
isn't a great improvement.
I'm not entirely sure what you mean...
For starters, I was thinking of having the user choose any custom key or
"password" (as long as the page is not encrypted already, of course), so
you would actually have to type in that password and reload the page to
decrypt.
Communicating those keys to the authorized people would be a bit
cumbersome, of course - so in later (post-proof-of-concept) versions,
you might have user groups, so the encryption would take place
automatically.
Communicating the keys to the authorised people is exactly what I'm
talking about. Even with user groups, if the decryption is taking
place client-side (which is what you're suggesting with Javascript),
the key needs to be transferred somehow. If you have way of working
out who to send the key to, you could just use the same system to send
the page itself and not worry about encryption.