I think it'd be cool if the browser had some sort of crypto "black box" (although open to inspection) that you could just send messages to without using JavaScript. Sorta like a software-defined TPM that handles crypto-related doodads.
"But doesn't TLS cover that???"
Only if you trust your server.
"Why wouldn't you do that???"
The National Security Letter.
@Elizafox it this point that's probably why we added javascript
@CobaltVelvet We added JavaScript so people could make bloated atrocious websites that didn't really need it
@Elizafox arent you thinking of like a gpg plugin
but without the gpg part
@CobaltVelvet I am kinda thinking of that
@CobaltVelvet thinking about it more
yeah
@Elizafox @CobaltVelvet also, you need to decide whether a softtpm is acceptable
It'd be a really awful complex mechanism to decide how to validate signatures and stuff with this though
idk how you'd divert messages to this black box. It'd probably have to be HTTP level and signalled with special headers as to what cryptographic operations you want performed.