Re: [dev] seif opinions? from Louis Santillan on 2016-09-25 (dev mail list archive)

From: Louis Santillan <lpsantil_AT_gmail.com>
Date: Sun, 25 Sep 2016 09:23:11 -0700

On Sun, Sep 25, 2016 at 1:47 AM, Hiltjo Posthuma <hiltjo_AT_codemadness.org> wrote:
> On Sat, Sep 24, 2016 at 10:44:33PM -0700, Louis Santillan wrote:
>> Has anybody considered seif [0][1]?
>>
>> I disagree with the choice of nodejs & Qt, and the idea of capturing
>> entropy from microphone and camera are interesting but gameable. I
>> think the overall concept is viable.
>>
>> [0] (Repo) http://www.seif.place
>> [1] (Talk) https://www.oreilly.com/ideas/the-seif-project
>>
>
> Can you give a (brief) background information what the project does?

Sorry, not brief.

The talks, the code [0][1] and the lone protocol document [2] say it
best. A little what like the HTTPSSH [3] Sylvain was describing but
prescriptive as to the technology stack.

Instead of HTTP or HTTPS (which is HTTP+TLS these days), replace the
negotiation of the HTTP protocol with a PKI style 2 packet handshake
over TCP that are in the form of JSON messages. All future (also
encrypted JSON message) commands & responses are then processed using
nodejs client/servers. Instead using a markup + stylesheets (or SVG
or VRML or XForm or etc or W3C crap standard) as the presentation
layer, specify & utilize Qt. Lastly, to support eventual replacement
of the web (instead of wholesale replacement) create & support an open
browser plugin so that seif clients/servers can be <EMBED>ed &
utilized in the current set of web infrastructure. A new
browser/client/mobile app is also supportable if a large
infrastructure player (like a bank {PayPal} or healthcare provider or
etc) can provide value through it.

The specification is so far very high level and client/server examples
are relatively new. I would have leaned towards extending a gopher
protocol like solution.

What I like:
* Use of the PKI-style handshake for secure communication without CA
infrstructure
* Non-use of HTML/CSS
* The use of JSON as command response language (almost anything is an
improvement over HTTP though)
* Use of an actual GUI command set

What I dislike:
* The specification of nodejs
* The specification of Qt (I would have been ok even a new GUI lib but
understand that this is compromise of what's available)
* The invasive & prescriptive use of hardware for entropy collection
* The lack of unencrypted fallback for human readable messages & debugging
* The lack of a document mode (or text mode) vs. application mode

[0] https://github.com/paypal/seifnode
[1] https://github.com/paypal/seif-protocol/blob/master/examples/
[2] https://raw.githubusercontent.com/paypal/seif-protocol/master/doc/seifhandshake.html
[3] http://lists.suckless.org/dev/1609/30541.html
Received on Sun Sep 25 2016 - 18:23:11 CEST

This archive was generated by hypermail 2.3.0 : Sun Sep 25 2016 - 18:24:11 CEST