Re: Partial Encryption from Mark Nottingham on 2017-04-11 (ietf-http-wg@w3.org from April to June 2017)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 11 Apr 2017 10:56:53 +1000
To: Grahame Grieve <grahame@healthintersections.com.au>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <F5D76141-5A2B-4438-AA39-9F8011A4CF82@mnot.net>

> On 11 Apr 2017, at 10:53 am, Grahame Grieve <grahame@healthintersections.com.au> wrote:
> 
> hi Mark
> 
> thanks. I'll work harder on getting the irony tone correct; in fact, those questions themselves are not-stupid; it's the answers that usually are :-(

:) No worries. I probably needed more coffee when I read it too.

> I've read that draft, but it doesn't seem to have any traction?

It has some -- see the implementation list. Because it's part of WebPush, it'll end up in browsers too (and I think already is getting in there), although it's not clear how/if it'll be exposed generically. 

Cheers,

> 
> Grahame
> 
> 
> 
> On Tue, Apr 11, 2017 at 8:59 AM, Mark Nottingham <mnot@mnot.net> wrote:
> Hi Grahame,
> 
> You might want to have a look at:
>   http://httpwg.org/http-extensions/draft-ietf-httpbis-encryption-encoding.html
> ... along with the implementation list at:
>   https://github.com/httpwg/wiki/wiki/EncryptedContentEncoding
> 
> Cheers,
> 
> P.S. Anticipating people's questions as "stupid" doesn't help the level of discourse here. Please refrain from doing so. Thanks.
> 
> 
> 
> > On 11 Apr 2017, at 6:53 am, Grahame Grieve <grahame@healthintersections.com.au> wrote:
> >
> > We are getting strong push-back against the use of RESTful APis in healthcare, particularly in Europe, because there is no support for partial encryption - that is, where the content is encrypted (and signed) but the headers are not. SSL does both, obviously. (note: this is in b2b context).
> >
> > There are some RFCs floating around for encrypting and signing the http body, instead of (or as well as) using SSL - but these don't seem to have any penetration.
> >
> > So I'm increasingly seeing discussion around tunneling RESTful APIs across SOAP (pr higher level profiles on soap like ebMS), purely for the reason that they protect the body but not the headers.
> >
> > I'm interested in whether anyone here can give me a sense of perspective on where we are - why is content encryption not flying like transport encryption?
> >
> > And don't ask stupid questions like, how actually useful are the headers? This discussion isn't really about functionality but about the ability of large government backbone administrators to tick the box that they'll have the control they need, while being able to tick the box that they've protected the patient's privacy and the healthcare provider's need for reliability
> >
> > Grahame
> >
> >
> > --
> > -----
> > http://www.healthintersections.com.au / grahame@healthintersections.com.au / +61 411 867 065
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> 
> 
> 
> -- 
> -----
> http://www.healthintersections.com.au / grahame@healthintersections.com.au / +61 411 867 065

--
Mark Nottingham   https://www.mnot.net/

Received on Tuesday, 11 April 2017 00:57:25 UTC