Partial Encryption
Grahame Grieve <grahame@healthintersections.com.au> Mon, 10 April 2017 20:58 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18A76126CC7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 10 Apr 2017 13:58:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.502
X-Spam-Level:
X-Spam-Status: No, score=-4.502 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pq0ppLTu4JN7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 10 Apr 2017 13:58:17 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24200129AEE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 10 Apr 2017 13:58:12 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cxgKN-000326-1g for ietf-http-wg-dist@listhub.w3.org; Mon, 10 Apr 2017 20:54:23 +0000
Resent-Date: Mon, 10 Apr 2017 20:54:23 +0000
Resent-Message-Id: <E1cxgKN-000326-1g@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <grahameg@gmail.com>) id 1cxgKJ-0002yj-Cu for ietf-http-wg@listhub.w3.org; Mon, 10 Apr 2017 20:54:19 +0000
Received: from mail-io0-f176.google.com ([209.85.223.176]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <grahameg@gmail.com>) id 1cxgKC-0006v2-PZ for ietf-http-wg@w3.org; Mon, 10 Apr 2017 20:54:14 +0000
Received: by mail-io0-f176.google.com with SMTP id a103so47584970ioj.1 for <ietf-http-wg@w3.org>; Mon, 10 Apr 2017 13:53:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=f92iumc8/WMpYollA4Mc8gUlUBusPFRUC6IohcSzytM=; b=VL4tesYgFkyAYBEXfm+WT56SMAP8XmWkrUcrixZwu+Zc9NxyArMHu4O/2B3f3poKZH lgaoLVwlf3mFF7UMXN0XFqmjnXNk0q/cfEQ0U/UdZ5xIFJtO4Wh8u7T9A1+2GJQQkKUM OQB2HlKJlLrt4LPJllAW9V8Qv2W3gbr8fZ4H5tKL/jFR7h5wAtInEHhpe5yqNE+5iTuP UNZN4lD5AvIysJE8JB4Pwzsu1bx+N10+xwJpGqdW7bwS9+HoGKY7Nw3njXMCQa682mlH UP8gVNbzpirx40OSvKYb5AJorMfYaDFRHUHJNU5UoN/bDKzuUNKemAVjQYMZiKSnBt+k G6XQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=f92iumc8/WMpYollA4Mc8gUlUBusPFRUC6IohcSzytM=; b=BpNljBYh602L24csJnSmS4ol0/eQA8wxBCXoUYEPs27hWQtkIHlP+U8H4m1GoHiq09 dKMp4a1+wbwPvjTn4lMne1UrI7EHY01rGUaIJrbhKkTDtw6PTsonjlz99+4q53ZVW03Y NCdR1wUjH1lYYD7P7Q/9D6eyMFODDHNCikZJDRfn7WwBVcIqC0xQv0s3H34A8dr8vrSe jDh4mM9u8uEkQEtAI2qteO5wrPdiG033SxiU+7Z15fnC3YDAJGuOSmEiBKuulU3GJdE4 kQUD1MqktBv5gAWUDbu8TmB5XLq4S+3GA8ZvG/SdxD5z/td9g4UcC5DMJZoZf7XFp6OO C/QQ==
X-Gm-Message-State: AN3rC/45FKKqIfhiPKgVPOfFe3tb9ZOMA4+8WVzcLmh0Qz48gqQCKRqJDwD6/S+dREYsac2NpL1Rm8L8z1L58Q==
X-Received: by 10.107.130.104 with SMTP id e101mr5922771iod.118.1491857626054; Mon, 10 Apr 2017 13:53:46 -0700 (PDT)
MIME-Version: 1.0
Sender: grahameg@gmail.com
Received: by 10.107.7.90 with HTTP; Mon, 10 Apr 2017 13:53:45 -0700 (PDT)
From: Grahame Grieve <grahame@healthintersections.com.au>
Date: Tue, 11 Apr 2017 06:53:45 +1000
X-Google-Sender-Auth: TANRj_NW5CBlA0MSdwiig9UpNYk
Message-ID: <CAG47hGYbqbdTCsdjXwHARFvxysKdrzuNNR5XfVn6Zg7g8pisZA@mail.gmail.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a113eca76db4b88054cd62b30"
Received-SPF: pass client-ip=209.85.223.176; envelope-from=grahameg@gmail.com; helo=mail-io0-f176.google.com
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: AWL=-0.824, BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cxgKC-0006v2-PZ 3946f87cbdf44b2e71f7787ecc3f56d3
X-Original-To: ietf-http-wg@w3.org
Subject: Partial Encryption
Archived-At: <http://www.w3.org/mid/CAG47hGYbqbdTCsdjXwHARFvxysKdrzuNNR5XfVn6Zg7g8pisZA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33801
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
We are getting strong push-back against the use of RESTful APis in healthcare, particularly in Europe, because there is no support for partial encryption - that is, where the content is encrypted (and signed) but the headers are not. SSL does both, obviously. (note: this is in b2b context). There are some RFCs floating around for encrypting and signing the http body, instead of (or as well as) using SSL - but these don't seem to have any penetration. So I'm increasingly seeing discussion around tunneling RESTful APIs across SOAP (pr higher level profiles on soap like ebMS), purely for the reason that they protect the body but not the headers. I'm interested in whether anyone here can give me a sense of perspective on where we are - why is content encryption not flying like transport encryption? And don't ask stupid questions like, how actually useful are the headers? This discussion isn't really about functionality but about the ability of large government backbone administrators to tick the box that they'll have the control they need, while being able to tick the box that they've protected the patient's privacy and the healthcare provider's need for reliability Grahame -- ----- http://www.healthintersections.com.au / grahame@healthintersections.com.au / +61 411 867 065
- Re: Partial Encryption Mark Nottingham
- Partial Encryption Grahame Grieve
- Re: Partial Encryption Amos Jeffries
- Re: Partial Encryption John Gates
- Re: Partial Encryption Mark Nottingham
- Re: Partial Encryption Grahame Grieve