Re: Partial Encryption
Mark Nottingham <mnot@mnot.net> Mon, 10 April 2017 23:02 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6BE2126C3D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 10 Apr 2017 16:02:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOTihnxmlSfH for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 10 Apr 2017 16:02:35 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60055127A97 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 10 Apr 2017 16:02:32 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cxiHl-0001oZ-SX for ietf-http-wg-dist@listhub.w3.org; Mon, 10 Apr 2017 22:59:49 +0000
Resent-Date: Mon, 10 Apr 2017 22:59:49 +0000
Resent-Message-Id: <E1cxiHl-0001oZ-SX@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1cxiHd-0001mj-JP for ietf-http-wg@listhub.w3.org; Mon, 10 Apr 2017 22:59:41 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <mnot@mnot.net>) id 1cxiHW-0001TT-WB for ietf-http-wg@w3.org; Mon, 10 Apr 2017 22:59:36 +0000
Received: from [192.168.3.104] (unknown [124.189.98.244]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id C85DF22E253; Mon, 10 Apr 2017 18:59:11 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAG47hGYbqbdTCsdjXwHARFvxysKdrzuNNR5XfVn6Zg7g8pisZA@mail.gmail.com>
Date: Tue, 11 Apr 2017 08:59:07 +1000
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CBB2CB4B-7D68-47FE-887B-422DEB99DB52@mnot.net>
References: <CAG47hGYbqbdTCsdjXwHARFvxysKdrzuNNR5XfVn6Zg7g8pisZA@mail.gmail.com>
To: Grahame Grieve <grahame@healthintersections.com.au>
X-Mailer: Apple Mail (2.3273)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-7.0
X-W3C-Hub-Spam-Report: AWL=2.592, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1cxiHW-0001TT-WB 6c2ca9fb6b73b8a100de2e9773fa83eb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Partial Encryption
Archived-At: <http://www.w3.org/mid/CBB2CB4B-7D68-47FE-887B-422DEB99DB52@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33802
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Grahame, You might want to have a look at: http://httpwg.org/http-extensions/draft-ietf-httpbis-encryption-encoding.html ... along with the implementation list at: https://github.com/httpwg/wiki/wiki/EncryptedContentEncoding Cheers, P.S. Anticipating people's questions as "stupid" doesn't help the level of discourse here. Please refrain from doing so. Thanks. > On 11 Apr 2017, at 6:53 am, Grahame Grieve <grahame@healthintersections.com.au> wrote: > > We are getting strong push-back against the use of RESTful APis in healthcare, particularly in Europe, because there is no support for partial encryption - that is, where the content is encrypted (and signed) but the headers are not. SSL does both, obviously. (note: this is in b2b context). > > There are some RFCs floating around for encrypting and signing the http body, instead of (or as well as) using SSL - but these don't seem to have any penetration. > > So I'm increasingly seeing discussion around tunneling RESTful APIs across SOAP (pr higher level profiles on soap like ebMS), purely for the reason that they protect the body but not the headers. > > I'm interested in whether anyone here can give me a sense of perspective on where we are - why is content encryption not flying like transport encryption? > > And don't ask stupid questions like, how actually useful are the headers? This discussion isn't really about functionality but about the ability of large government backbone administrators to tick the box that they'll have the control they need, while being able to tick the box that they've protected the patient's privacy and the healthcare provider's need for reliability > > Grahame > > > -- > ----- > http://www.healthintersections.com.au / grahame@healthintersections.com.au / +61 411 867 065 -- Mark Nottingham https://www.mnot.net/
- Re: Partial Encryption Mark Nottingham
- Partial Encryption Grahame Grieve
- Re: Partial Encryption Amos Jeffries
- Re: Partial Encryption John Gates
- Re: Partial Encryption Mark Nottingham
- Re: Partial Encryption Grahame Grieve