Re: Partial Encryption from Grahame Grieve on 2017-04-11 (ietf-http-wg@w3.org from April to June 2017)

From: Grahame Grieve <grahame@healthintersections.com.au>
Date: Tue, 11 Apr 2017 10:53:54 +1000
To: Mark Nottingham <mnot@mnot.net>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAG47hGajGpkrnhTQKFpMSqGNG=z98pV+EqJp4nyV8pzDwfMz9Q@mail.gmail.com>

hi Mark

thanks. I'll work harder on getting the irony tone correct; in fact, those
questions themselves are not-stupid; it's the answers that usually are :-(

I've read that draft, but it doesn't seem to have any traction?

Grahame



On Tue, Apr 11, 2017 at 8:59 AM, Mark Nottingham <mnot@mnot.net> wrote:

> Hi Grahame,
>
> You might want to have a look at:
>   http://httpwg.org/http-extensions/draft-ietf-httpbis-
> encryption-encoding.html
> ... along with the implementation list at:
>   https://github.com/httpwg/wiki/wiki/EncryptedContentEncoding
>
> Cheers,
>
> P.S. Anticipating people's questions as "stupid" doesn't help the level of
> discourse here. Please refrain from doing so. Thanks.
>
>
>
> > On 11 Apr 2017, at 6:53 am, Grahame Grieve <grahame@healthintersections.
> com.au> wrote:
> >
> > We are getting strong push-back against the use of RESTful APis in
> healthcare, particularly in Europe, because there is no support for partial
> encryption - that is, where the content is encrypted (and signed) but the
> headers are not. SSL does both, obviously. (note: this is in b2b context).
> >
> > There are some RFCs floating around for encrypting and signing the http
> body, instead of (or as well as) using SSL - but these don't seem to have
> any penetration.
> >
> > So I'm increasingly seeing discussion around tunneling RESTful APIs
> across SOAP (pr higher level profiles on soap like ebMS), purely for the
> reason that they protect the body but not the headers.
> >
> > I'm interested in whether anyone here can give me a sense of perspective
> on where we are - why is content encryption not flying like transport
> encryption?
> >
> > And don't ask stupid questions like, how actually useful are the
> headers? This discussion isn't really about functionality but about the
> ability of large government backbone administrators to tick the box that
> they'll have the control they need, while being able to tick the box that
> they've protected the patient's privacy and the healthcare provider's need
> for reliability
> >
> > Grahame
> >
> >
> > --
> > -----
> > http://www.healthintersections.com.au / grahame@healthintersections.
> com.au / +61 411 867 065
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>


-- 
-----
http://www.healthintersections.com.au / grahame@healthintersections.com.au
/ +61 411 867 065

Received on Tuesday, 11 April 2017 00:54:27 UTC