Re: Partial Encryption
John Gates <dimante@dimante.net> Tue, 11 April 2017 01:35 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54C1C128B37 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 10 Apr 2017 18:35:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.5
X-Spam-Level:
X-Spam-Status: No, score=-6.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dimante.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id klvLxVxLAC7V for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 10 Apr 2017 18:34:58 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77879127871 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 10 Apr 2017 18:34:57 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cxkep-0003HC-Nh for ietf-http-wg-dist@listhub.w3.org; Tue, 11 Apr 2017 01:31:47 +0000
Resent-Date: Tue, 11 Apr 2017 01:31:47 +0000
Resent-Message-Id: <E1cxkep-0003HC-Nh@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <dimante@dimante.net>) id 1cxkem-0003GR-4g for ietf-http-wg@listhub.w3.org; Tue, 11 Apr 2017 01:31:44 +0000
Received: from mail-yw0-f172.google.com ([209.85.161.172]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <dimante@dimante.net>) id 1cxkee-00067G-S7 for ietf-http-wg@w3.org; Tue, 11 Apr 2017 01:31:38 +0000
Received: by mail-yw0-f172.google.com with SMTP id r128so2282219ywg.2 for <ietf-http-wg@w3.org>; Mon, 10 Apr 2017 18:31:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dimante.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4oh6Dc1Fcz19LK+b9j0fSD3B9jkta3Zvga+wbzLRwpo=; b=FLc3aTwd9ClxiEuw9crJLVz0lhUgLDQHMCuhY91YcAtBKn819hxfMegoYD9h+rEXep laHvrR6Ra/UIbbDGXxR1bGP3XBseX2/pav/qFLcIETlPgXOM6b5FaTrVuuD5LBA6xUzW At3gQXuUP0F5RSIXTrnpluzob3W+O5wSqNDh4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4oh6Dc1Fcz19LK+b9j0fSD3B9jkta3Zvga+wbzLRwpo=; b=eNyMWG16nEQC8kwuwr6w42SCVNfV0nOdUE7u0UIVbrwfXdNdP7kkTH17Ej7xXIU0n7 NsLMsIIHBYZJtqd2qN5YFkBcx1Nw5hhKJ4iou9rMa2V93OCDwe5pL8+SjCotI3vYkXag 6eDOwzqwx1yLYmHJhQDFHbeY3mIsNF4egdRUa8AkCPB7cET2fQlusAzf/iQZL5zaM/Wv EA+EY5ePJYex3FiKTHO7fJahJj8ETv/8iV4w3lzEXYmd8bNZd+roahNRG5+cEnfXcJTf 5r/uvUrmvaFGkciwzONPzwJCsjsK1KArNLEaEdvd7PtnZYXb4WqoFTyLL2QBeM3daWMT QkgQ==
X-Gm-Message-State: AN3rC/4Q5lHVjLFwGZDhGjR8AHaMOasiQ9tiJ1W/McaKfd/yKziEv6f6jBODS/MQgYNVpYUITJPxG2BX5IEyPw==
X-Received: by 10.129.115.212 with SMTP id o203mr5568739ywc.55.1491874270068; Mon, 10 Apr 2017 18:31:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.163.197 with HTTP; Mon, 10 Apr 2017 18:31:09 -0700 (PDT)
In-Reply-To: <F5D76141-5A2B-4438-AA39-9F8011A4CF82@mnot.net>
References: <CAG47hGYbqbdTCsdjXwHARFvxysKdrzuNNR5XfVn6Zg7g8pisZA@mail.gmail.com> <CBB2CB4B-7D68-47FE-887B-422DEB99DB52@mnot.net> <CAG47hGajGpkrnhTQKFpMSqGNG=z98pV+EqJp4nyV8pzDwfMz9Q@mail.gmail.com> <F5D76141-5A2B-4438-AA39-9F8011A4CF82@mnot.net>
From: John Gates <dimante@dimante.net>
Date: Mon, 10 Apr 2017 20:31:09 -0500
Message-ID: <CAFmBjviVLxL0dr_BjtzLVRYjxk2zua7PiqpXkuZjaQbhXPTtjw@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Grahame Grieve <grahame@healthintersections.com.au>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11492530eae5ba054cda0b08"
Received-SPF: pass client-ip=209.85.161.172; envelope-from=dimante@dimante.net; helo=mail-yw0-f172.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1cxkee-00067G-S7 5834ffd9fa7f80b6badfac97dd17d13a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Partial Encryption
Archived-At: <http://www.w3.org/mid/CAFmBjviVLxL0dr_BjtzLVRYjxk2zua7PiqpXkuZjaQbhXPTtjw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33805
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
I totally get it on the compliance and checking the box statement. There are some tough roads ahead on actually making something like this happen and be routable. I think that may be what's really holding this type of encryption back. Best Regards, John Gates, CISSP *Let’s Connect!* <https://twitter.com/johngatesIII> <http://www.linkedin.com/in/JohnGates> *This email may contain information that is confidential or attorney-client privileged and may constitute inside information. The contents of this email are intended only for the recipient(s) listed above. If you are not the intended recipient, you are directed not to read, disclose, distribute or otherwise use this transmission. If you have received this email in error, please notify the sender immediately and delete the transmission. Delivery of this message is not intended to waive any applicable privileges.* On Mon, Apr 10, 2017 at 7:56 PM, Mark Nottingham <mnot@mnot.net> wrote: > > > On 11 Apr 2017, at 10:53 am, Grahame Grieve < > grahame@healthintersections.com.au> wrote: > > > > hi Mark > > > > thanks. I'll work harder on getting the irony tone correct; in fact, > those questions themselves are not-stupid; it's the answers that usually > are :-( > > :) No worries. I probably needed more coffee when I read it too. > > > I've read that draft, but it doesn't seem to have any traction? > > It has some -- see the implementation list. Because it's part of WebPush, > it'll end up in browsers too (and I think already is getting in there), > although it's not clear how/if it'll be exposed generically. > > Cheers, > > > > > Grahame > > > > > > > > On Tue, Apr 11, 2017 at 8:59 AM, Mark Nottingham <mnot@mnot.net> wrote: > > Hi Grahame, > > > > You might want to have a look at: > > http://httpwg.org/http-extensions/draft-ietf-httpbis- > encryption-encoding.html > > ... along with the implementation list at: > > https://github.com/httpwg/wiki/wiki/EncryptedContentEncoding > > > > Cheers, > > > > P.S. Anticipating people's questions as "stupid" doesn't help the level > of discourse here. Please refrain from doing so. Thanks. > > > > > > > > > On 11 Apr 2017, at 6:53 am, Grahame Grieve < > grahame@healthintersections.com.au> wrote: > > > > > > We are getting strong push-back against the use of RESTful APis in > healthcare, particularly in Europe, because there is no support for partial > encryption - that is, where the content is encrypted (and signed) but the > headers are not. SSL does both, obviously. (note: this is in b2b context). > > > > > > There are some RFCs floating around for encrypting and signing the > http body, instead of (or as well as) using SSL - but these don't seem to > have any penetration. > > > > > > So I'm increasingly seeing discussion around tunneling RESTful APIs > across SOAP (pr higher level profiles on soap like ebMS), purely for the > reason that they protect the body but not the headers. > > > > > > I'm interested in whether anyone here can give me a sense of > perspective on where we are - why is content encryption not flying like > transport encryption? > > > > > > And don't ask stupid questions like, how actually useful are the > headers? This discussion isn't really about functionality but about the > ability of large government backbone administrators to tick the box that > they'll have the control they need, while being able to tick the box that > they've protected the patient's privacy and the healthcare provider's need > for reliability > > > > > > Grahame > > > > > > > > > -- > > > ----- > > > http://www.healthintersections.com.au / grahame@healthintersections. > com.au / +61 411 867 065 > > > > -- > > Mark Nottingham https://www.mnot.net/ > > > > > > > > > > -- > > ----- > > http://www.healthintersections.com.au / grahame@healthintersections. > com.au / +61 411 867 065 > > -- > Mark Nottingham https://www.mnot.net/ > > >
- Re: Partial Encryption Mark Nottingham
- Partial Encryption Grahame Grieve
- Re: Partial Encryption Amos Jeffries
- Re: Partial Encryption John Gates
- Re: Partial Encryption Mark Nottingham
- Re: Partial Encryption Grahame Grieve