[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: WebSign standardization effort - Encryption considerations
A potential WebSign standards effort should
IMHO not deal with explicit message encryption, as I believe this is
a less generally useful "feature". It is rather the
provider (your employer, your bank, your government), that sets the
policies, including encryption, for a specific web application
and acts accordingly. In an off-line e-mail scenario you don't have
this option and due to this, policies effectively becomes a client issue.
However, finding the proper encryption key to use is a major problem that
clients should not have to deal with in a properly designed web
application. To protect contents against the web application
provider's eyes seems like an odd measure, unless we are actually talking about
WebMail.
Secure WebMail is though an entirely separate
issue as it must conform to S/MIME rather than using XML security. In
addition, if Secure WebMail is to be used with untrusted mail providers, it
requires the use of Wet Signatures (open forms), and "semi-fat" clients, as the
providers MUST NOT (if message encryption is to be used), be able to
"see" any clear text data, including possible attachments. The latter
means that the standard way to handle attachments today, "upload",
simply is not an option. Secure WebMail is due to those
constraints, IMO another [possible] standardization effort.
Even if a Secure WebMail standardization effort indeed were launched, I would
not build such a scheme for untrusted providers as the "market" for such a
scheme seems limited when standard e-mail clients comes for free and already
handles this scenario. The possible use-case with public computers do not
align well with encrypted content as public computers cannot be assumed to be
safe for communicating truly classified or very private information, for that
you should use your mobile phone or PDA, "model 2007" with built-in TPM
(Trusted Platform Module) support.
Comments?
Anders Rundgren
Working for a major US computer security company
but here acting as an
individual |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]