Re: Partial Encryption

Hi Grahame,

You might want to have a look at:
... along with the implementation list at:


P.S. Anticipating people's questions as "stupid" doesn't help the level of discourse here. Please refrain from doing so. Thanks.

> On 11 Apr 2017, at 6:53 am, Grahame Grieve <> wrote:
> We are getting strong push-back against the use of RESTful APis in healthcare, particularly in Europe, because there is no support for partial encryption - that is, where the content is encrypted (and signed) but the headers are not. SSL does both, obviously. (note: this is in b2b context).
> There are some RFCs floating around for encrypting and signing the http body, instead of (or as well as) using SSL - but these don't seem to have any penetration.
> So I'm increasingly seeing discussion around tunneling RESTful APIs across SOAP (pr higher level profiles on soap like ebMS), purely for the reason that they protect the body but not the headers. 
> I'm interested in whether anyone here can give me a sense of perspective on where we are - why is content encryption not flying like transport encryption? 
> And don't ask stupid questions like, how actually useful are the headers? This discussion isn't really about functionality but about the ability of large government backbone administrators to tick the box that they'll have the control they need, while being able to tick the box that they've protected the patient's privacy and the healthcare provider's need for reliability 
> Grahame
> -- 
> -----
> / / +61 411 867 065

Mark Nottingham

Received on Monday, 10 April 2017 22:59:41 UTC