1) formulate an argument for a setting in which content-controlled browser Javascript is a sensible place to deploy cryptography.
1.a) Give yourself the full benefit of every facility the web programming model gives you, up to the limit of installing browser extensions.
2) What's a system like (1) that has worked well, and would be resilient to a determined adversary?
So, he's claiming to have shown that content-controlled browser javascript crypto is worse that useless because it allows good people to inadvertently leak secrets. All you have to do to prove him wrong is just tell him a use case where it would make sense and then cite an example where that worked well* and would be resilient to a determined* adversary.
So, all you have to do is say "chatcrypt.com's use case makes sense and chatcrypt rocks. Here I show that it is unbreakable until long after the stars cool, and no amount of kneecap cryptography will lessen the adversery's burden."
* He's giving you two wiggle words already, you can define them however you'd like.
He means crypto from servers can't be trusted. You need something better. You need crypto running in a browser extension.
If I understood your article correctly, when you (bren2013) refer to in-browser crypto you mean crypto code is delivered from the server. But that's not the only in-browser crypto you can get. You can also get in-browser crypto delivered from a browser extension. Under this second definition of in-browser crypto, the following sentence in the article isn't accurate:
there is nothing in-browser crypto can do to defend against active adversaries.
Let me break that down for you:
1) formulate an argument for a setting in which content-controlled browser Javascript is a sensible place to deploy cryptography.
1.a) Give yourself the full benefit of every facility the web programming model gives you, up to the limit of installing browser extensions.
2) What's a system like (1) that has worked well, and would be resilient to a determined adversary?
So, he's claiming to have shown that content-controlled browser javascript crypto is worse that useless because it allows good people to inadvertently leak secrets. All you have to do to prove him wrong is just tell him a use case where it would make sense and then cite an example where that worked well* and would be resilient to a determined* adversary.
So, all you have to do is say "chatcrypt.com's use case makes sense and chatcrypt rocks. Here I show that it is unbreakable until long after the stars cool, and no amount of kneecap cryptography will lessen the adversery's burden."
* He's giving you two wiggle words already, you can define them however you'd like.