I've been wanting to do this for ages. Originally I wanted to do this at the home router level, but that quickly got shut down when I got a test net up and running and my friends could control the Chromecasts in my house.
For us a "tailscale" equivalent with SoftEther is what we used to manage the DNS/Tunneling for our fileshare/services.
So cool to see more people playing in this space. Please post more! <3
I understand, but things like https://github.com/GoogleChromeLabs/comlink enable it. Similar to how iFrames don't have access to their parent page you need a facilitator. My question is why not use a js facilitator that could work in all browsers, rather than just Chrome.
I find it an interesting choice that the author decided to invest in new iFrame technology rather than existing multi-thread technology in the browser.
I'm confident then that you can skip the base64 encoded header and just have the server use the jwt passed in the bearer token and the new signature you propose. (As the base64 encoded version can be reconstructed from the JWT itself)
But I think ideally I would use a wrapped JWT with `"alg": "ES256"` and just pass it as normal in a bearer token[0] as JWTs natively support signed primitives.
When you `.get` a credential you can provide a challenge that it signs which you can make the JWT. With an added bonus that this passkey can exist on your phone or password manager which you can use to authenticate on a different device while still feeling confident in it's security.
Rather than generating key data on the client in the open, and storing it in IDB, I would recommend the Credential Management API[0]. Hand off the responsibility to proper generation and storage to the user agent. Then do your signing of the JWT with them instead.
The recommendation for IP address in the JWT is good, but I don't understand your last recommendation of 1) sending the JWT, 2) additionally sending the base64 JWT in a header 3) sending the signature in the header. The crypto.subtle api only works on https domains so you're not defending against mitm attacks on unsecure networks either. And if we can't trust TLS what can we trust on the web?
I don't know if 5 miles is long enough for the people who actually need it, but if I was a postal worker, these would be pretty sweet. And 1400 USD is cheaper than some car insurance here in Canada for young males.
JPGs are not security, and moving JPGs can be fabricated very easily. Some v-tuber software with a deepfake GAN strapped to it I feel like would fool 1-on-1 meetings too.
But I thought the point of the cages, is that _do_ decrypt the data. And any government mandated backdoors would then go into that process. You're not doing any homomorphic encryption here.
I guess my issue, is that you see both the keys and data, not just one.
EDIT: ha, confused with https://wiki.xxiivv.com/site/uxn.html