| Subject | Re: [IB-Architect] Including encryption |
|---|---|
| Author | Doug Chamberlin |
| Post date | 2000-04-29T23:42:51Z |
At 4/29/00 06:22 PM (Saturday), Bill Karwin wrote:
We don't need to visit the argument that "if it isn't the best available
then it isn't worth anything", do we?
The claims can be only to call the encryption API at the appropriate times,
however.
communications (SQL statements and result set data) are not passed in the
clear. That alone would satisfy many customers.
don't agree we can do that.
can live with the performance of it all.
go to the VPN level at all.
which to communicate and since we can redirect Interbase to another port
number they can pick which one they are willing to assign.
>Me too. My reasons are:No need to. It does not have to be state of the art.
>
>o The state of the art of encryption moves too quickly for
> InterBase to keep up.
We don't need to visit the argument that "if it isn't the best available
then it isn't worth anything", do we?
>o Once InterBase claims to support encryption, the vendor acceptsTrue, there is some level of liability.
> a level of liability for security that too high.
The claims can be only to call the encryption API at the appropriate times,
however.
>o An InterBase-only encryption mechanism is useless.I don't agree. I'd like to be able to say that, at least the database
> Any security package that an IT shop chooses must account for
> any type of traffic, which is typically email, file access,
> http, and perhaps telnet.
communications (SQL statements and result set data) are not passed in the
clear. That alone would satisfy many customers.
> > However, there are some practical problems whichActually, I think they are a mix of these.
> > would be easily solved if this could be included.
>
>The problems are typically not technical, but bureaucratic in nature.
>A security-conscious site *wants* application-independent control overWell, that's lumping a lot of people and places into one big category. I
>their network encryption and security.
don't agree we can do that.
>Most shops won't trust encryption that is bundled with an application.Ok, but so what? If everything still works then no harm done, assuming they
>They've done their independent research and settled on their network
>security implementation, and they have a policy that anything -- even
>encrypted traffic -- has to use their secure connection.
can live with the performance of it all.
>My point is that these hassles won't be reduced, whether InterBaseBut if we had database level encryption of some sort we might not have to
>includes encryption or not. The people running the VPN won't allow
>*anything* to come into their network that isn't using *their* security
>mechanism.
go to the VPN level at all.
> > All that would be left would be to ensure that the port in use was allowedBut an argument can be made that a database product needs *some* port on
> > to be used.
>
>This is another problem. Secure networks typically are not eager to
>open up more ports than they have to. They prefer that if you need to
>use a port, you use a "tunnel" on their preferred security
>implementation. They are *not* going to open up port 3050, even if
>InterBase includes encryption technology.
which to communicate and since we can redirect Interbase to another port
number they can pick which one they are willing to assign.