Encrypted Profile Documents

[bru...@simiatech.com]

Hi all,

I've attended an Unhosted talk at the Codemotion conference in Berlin last Saturday. I really liked the talk and it came to my mind, that the intention behind Unhosted is similar to the intention I had when I developed the Encrypted Profile Document-Format. I never found a good reason, why the data that I send to someone, has to be available to Facebook, Google or any other website too.

The EPD-format is a JSON-based encryption container for all data you can imagine. It's designed to encrypt the payload, but make it readable to a selected number of other EPD authors. It hides information, but allows explicit sharing with other.

The library for handling EPDs is implemented in pure javascript and should run in current Firefoxes and Chromes. Try it out at [1]. The documentation of the format itself can be found at [2]. To see the technology in action, I used it to build a social network with it. It can be found at [3]. Upfront apologies for the uninspired Bootstrap design and the poor UX :-)

I would be glad to hear your thoughts about that subject. Bug reports are welcome too.

Best regards

Philipp

[1] https://github.com/phifty/epd-javascript

[2] http://anyaku.com/papers/epd.pdf

[3] http://anyaku.com

[Pierre Ozoux]

Hi,

just, how did you do your plugin to not activate by default social plugin by default?

here : http://anyaku.com

Cheers,

Pierre

--
 
---
You received this message because you are subscribed to the Google Groups "Unhosted Web Apps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to unhosted+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Michiel B. de Jong]

On 2013-05-13 15:23, bru...@simiatech.com wrote:
> Hi all,
>
> I've attended an Unhosted talk at the Codemotion conference in Berlin
> last Saturday. I really liked the talk and it came to my mind, that
> the intention behind Unhosted is similar to the intention I had when
> I
> developed the Encrypted Profile Document-Format. I never found a good
> reason, why the data that I send to someone, has to be available to
> Facebook, Google or any other website too.

yes hi Philipp, was nice talking on saturday, thanks for posting!

Anyaku looks really cool, too. i'm "michielbdejong" on there, now. :)

In http://anyaku.com/papers/epd.pdf you mention you used the CryptoJS
and JSBN libraries, what were your experiences with that? Did you
consider using SJCL or OpenPGP.js? See also Jon's post from this morning
https://groups.google.com/forum/#!topic/unhosted/5MQVLY_wy2A (not sure
if they expose the functions you need for your use case, though).


Welcome to the movement! :)


Cheers,
Michiel

[bru...@simiatech.com]

Hi Pierre,

I've used the http://socialitejs.com/ js lib. On the site is a hover demo, which shows how to load the buttons only if the mouse moves over it. This avoids sending too much data to Google and Facebook.

Best,

Philipp

[Pierre Ozoux]

Great!

Thanks :) and sorry for the spam for all the list...

Written with a mobile device, sorry for typos..

[bru...@simiatech.com]

Hi Michiel,

welcome to Anyaku :-) You're on my contact list now.

When I've started to project, I've searched the web for crypto libraries. I think, I considered SJCL as well, but I didn't came across OpenPGP.js. At the first sight, it looks like a quite usable lib.

My experience with CryptoJS is quite good. It's just a good implementation. But for the RSA support, I only found JSBN at this time (one year ago). This lib caused more problems. The interface is tricky to use and especially the key pair generator seems really slow to me.

But I consider both libs only as temporary solutions. The UX will be much better, if the Web Cryptography API is available (and implemented). It would be also interesting to see a crypto lib using asm.js. Well, a lot of work for limited time :-)

Best,

Philipp

[Tony Garnock-Jones]

On 05/13/2013 12:21 PM, bru...@simiatech.com wrote:
> When I've started to project, I've searched the web for crypto
> libraries. I think, I considered SJCL as well, but I didn't came across
> OpenPGP.js. At the first sight, it looks like a quite usable lib.

I've recently been working on using emscripten to compile djb et al's
excellent NaCl cryptography lib to Javascript:

- http://nacl.cr.yp.to/, for those unaware of the library
- http://cr.yp.to/highspeed/coolnacl-20120725.pdf, an exposition of the
design considerations of the library's API
- https://github.com/tonyg/js-nacl/, my emscripten-built nacl library
- (related) https://github.com/tonyg/js-scrypt, emscripten scrypt

Cheers,
Tony

[bru...@simiatech.com]

That's actually a great idea! Use a mature C++ crypto library and compile it emscripten. I'll definitely run some tests with it.

I would be interesting, if it's possible to reduce the size a little bit. 300+ kb is quite a lot for a web project. I think, google's closure minifyer is worth a try too. It should detect and remove unused parts of the lib.

Thanks for the input anyway.

Best,

Philipp

[Manuel Schölling]

Am 16.05.2013 17:07, schrieb bru...@simiatech.com:
> That's actually a great idea! Use a mature C++ crypto library and
> compile it emscripten. I'll definitely run some tests with it.

Hi,

I did the same with GnuPG (a little bit more end-user orientated) and
released it yesterday.

You can find it here:

https://github.com/manuels/unix-toolbox.js-gnupg
http://manuels.github.io/unix-toolbox.js-gnupg/


Cheers,

Manuel

> I would be interesting, if it's possible to reduce the size a little
> bit. 300+ kb is quite a lot for a web project. I think, google's closure
> minifyer is worth a try too. It should detect and remove unused parts of
> the lib.
>
> Thanks for the input anyway.
>
> Best,
> Philipp
>
> Am Montag, 13. Mai 2013 18:48:08 UTC+2 schrieb Tony Garnock-Jones:
>

> On 05/13/2013 12:21 PM, bru...@simiatech.com <javascript:> wrote:
> > When I've started to project, I've searched the web for crypto
> > libraries. I think, I considered SJCL as well, but I didn't came
> across
> > OpenPGP.js. At the first sight, it looks like a quite usable lib.
>
> I've recently been working on using emscripten to compile djb et al's
> excellent NaCl cryptography lib to Javascript:
>
> - http://nacl.cr.yp.to/, for those unaware of the library
> - http://cr.yp.to/highspeed/coolnacl-20120725.pdf

> <http://cr.yp.to/highspeed/coolnacl-20120725.pdf>, an exposition of the

> design considerations of the library's API
> - https://github.com/tonyg/js-nacl/

> <https://github.com/tonyg/js-nacl/>, my emscripten-built nacl library
> - (related) https://github.com/tonyg/js-scrypt
> <https://github.com/tonyg/js-scrypt>, emscripten scrypt
>
> Cheers,
> Tony

[Michiel B. de Jong]

On 2013-05-16 17:12, Manuel Schölling wrote:
> I did the same with GnuPG (a little bit more end-user orientated) and
> released it yesterday.
>
> You can find it here:
>
> https://github.com/manuels/unix-toolbox.js-gnupg
> http://manuels.github.io/unix-toolbox.js-gnupg/

Cool! so how does this compare to openpgpjs.org? are they two
equivalent implementations of the same standard? what are the pros/cons
of each?

[Manuel Schölling]

Am 16.05.2013 17:34, schrieb Michiel B. de Jong:

I don't know much about openpgp.js but it seems that both programs
implement the same standard. GnuPG.js is an *exact* javascript
conversion of GnuPG (as long as no errors are introduced by translating
it to JS).

It seems that GnuPG.js is a slower than OpenPGP.js but it is based on a
more mature code base so this might be a security advantage.
I'm not sure whether OpenPGP.js has all the features that GnuPG.js
offers but OpenPGP.js offers more plugins.

I'm still not sure whether it is a good idea to implement crypto in JS
(see e.g. [1]) but it's fun to play around with it. (But I would not
encrypt my nuclear weapons' launch codes with it) ;)


[1] http://www.matasano.com/articles/javascript-cryptography/

[Nick Jennings]

I've been following OpenPGP.js for a few months now, and I'm pretty sure it's the most advanced one out there in the JavaScript world. I don't have first hand experience, but from what I've gathered a lot of those automatic ports of tools to JS, while good proof of concepts, are not optimized for the browser. So you're going to get much slower performance as well as possibly extremely wasteful battery consumption on mobile devices. That's my superficial assesment anyway. OpenPGP.js projects are also starting to get more attention, with some (Crypto Stick) recently being accepted to GSOC 2013, getting money, etc.

I also know there are some big, private, email clients being written with OpenPGP.js - though it's unclear from the people I've talked to if these will ever be public, or are completely private for a large company.

If I were to write an unhosted email app with Sockethub right now, I'd use OpenPGP.js - but I have a lot of things I need to complete before I can get to that goal :) It does need to be done at some point, by someone.

On Thu, May 16, 2013 at 7:04 PM, Manuel Schölling <manuel.s...@gmx.de> wrote:

Am 16.05.2013 17:34, schrieb Michiel B. de Jong:

--

--- You received this message because you are subscribed to the Google Groups "Unhosted Web Apps" group.

To unsubscribe from this group and stop receiving emails from it, send an email to unhosted+unsubscribe@googlegroups.com.

[pir...@gmail.com]

> If I were to write an unhosted email app with Sockethub right now, I'd use OpenPGP.js - but I have a lot of things I need to complete before I can get to that goal :) It does need to be done at some point, by someone

I don't need to know more... :-D

By the way, how is a project selected for the GSoC?

[Nick Jennings]

On Thu, May 16, 2013 at 7:43 PM, pir...@gmail.com <pir...@gmail.com> wrote:

By the way, how is a project selected for the GSoC?

I'm not sure, I've never looked into it myself. In this case I'd heard it announced on the OpenPGP.js mailing list.

[Sean McGregor]

Sponsoring organizations are accepted into GSoC, individual projects are not.

GSoC uses a two-stage application process. (1) Organizations apply to
Google to be a sponsoring organization. (2) Accepted orgs receive and
accept/reject student project applications.

If you are looking to mentor GSoC students for your project, the
easiest way is likely to work through an umbrella organization
(Apache, etc).

If you are a student who wants GSoC funding for your project, you can
shop around the various sponsoring orgs to find the best fit. You
could then discuss what you want to do with the org's mentors. It is
more difficult to get a completely original project into GSoC than one
of the "ideas" of an org, but so long as you have a passion for the
software and it is in the scope of the sponsoring org's goals, you
could probably make it happen.

-Sean

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Unhosted Web Apps" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to unhosted+u...@googlegroups.com.

> For more options, visit https://groups.google.com/groups/opt_out.
>
>

--
Sean McGregor

Oregon State University, Department of Computer Science
Twitter: seanmcgregor
irc.freenode.net: smcgregor

[Nick Jennings]

Thanks for the clarification Sean. Makes sense. In this case I think Crypto Stick had been accepted as a sponsoring organization, and was looking for OpenPGP.js developers to work on a specific project (5000 USD)

[pir...@gmail.com]

Thanks Sean, mine would be on the second group, I'll take a look on it.

[Sean McGregor]

Happy to help :)

Although the deadline for student proposals has passed for this
summer, it is still a good time to build connections with mentoring
organizations. GSoC is about growing the open source community so the
organizations involved in GSoC are very welcoming to new contributors.

[pir...@gmail.com]

Good to know :-) Only that I'm very introvertive and bad in public relationships... :-P