Fri Sep 30 18:10:18 CEST 2011
On Sep 30, 2011, at 11:57 AM, ext Joe Armstrong wrote:
>> How will you deliver the secret key to the browser such that the JS can encrypt securely for some period of time?
> I won't - The following seems ok
> 1) the browser gets the RSA public key of the server. This is hard wired
> or "well known"
> 2) the browser generates a random session key and encrypts it with
> the server's public key.
> 3) the encrypted session key is sent to the server
> 4) Only the server can decrypt this key
> 5) both sides use the session key
>> If you trust the server to deliver crypto code + key, why not trust the server to do
>> SSL/TLS which will require less new code?
> Because I haven't implemented SSL myself :-)
Well, that is what you're doing, based on the steps you write above, but presumably with just the key parts, and no CAs or certs involved ;)
> - it's an opportunity to
> learn a bit more
> about number theory.
As long as you _want_ to re-implement SSL/TLS, then… enjoy!
>> - John
>>> Any ideas?
>>> I want both side to be reasonably efficient with non-restrictive
>>> erlang-questions mailing list
More information about the erlang-questions