| Subject | Re: [IB-Architect] Including encryption |
|---|---|
| Author | Jan Mikkelsen |
| Post date | 2000-05-01T04:50:07Z |
Bill Karwin <bill@...> wrote:
protocols must go through a proper (long) review process before they can
safely be used in real systems. Just look at the NIST AES process.
disclaims any liability for losses incurred through the use of the software.
In fact, I'd be surprised if it even accepted that the software was fit for
a given purpose.
confidentiality: Depending on the circumstances, you might also need
authentication, non-repudiation or integrity. They are provided by applying
cryptography in different ways. Just encrypting your links does nothing for
process level authentication.
cryptographic authentication of clients. This is quite separate to making
the contents of a session confidential through encryption, and is quite a
reasonable requirement.
I think before any real discussion takes place about "using encryption", the
purpose needs to be clear. Encryption is useful for more than just making
things confidential.
Jan Mikkelsen
janm@...
>Doug Chamberlin wrote:The encryption state of the art actually moves very slowly. New ciphers and
>>
>> I have long been in the camp that says that encryption of
>> client-server communications belongs outside the sphere and
>> responsibility of the database server vendor.
>
>Me too. My reasons are:
>
>o The state of the art of encryption moves too quickly for
> InterBase to keep up.
protocols must go through a proper (long) review process before they can
safely be used in real systems. Just look at the NIST AES process.
>o Once InterBase claims to support encryption, the vendor acceptsI haven't checked, but I'm sure that the Interbase license explicitly
> a level of liability for security that too high.
disclaims any liability for losses incurred through the use of the software.
In fact, I'd be surprised if it even accepted that the software was fit for
a given purpose.
>o An InterBase-only encryption mechanism is useless.They all have different requirements. There are more security services than
> Any security package that an IT shop chooses must account for
> any type of traffic, which is typically email, file access,
> http, and perhaps telnet.
confidentiality: Depending on the circumstances, you might also need
authentication, non-repudiation or integrity. They are provided by applying
cryptography in different ways. Just encrypting your links does nothing for
process level authentication.
>For example, this week, I was working with a web-hosting company whoI don't know if they were doing it this way, but ssh allows for
>insists that we access their machines using a VPN mechanism, connecting
>using IPSec. Additionally, they insisted that if I telnet into the
>machine, that I use ssh, not plain telnet protocol. It seems kind of
>redundant to encrypt by session when I'm already using an encrypted IP
>stack, but that's what they wanted.
cryptographic authentication of clients. This is quite separate to making
the contents of a session confidential through encryption, and is quite a
reasonable requirement.
I think before any real discussion takes place about "using encryption", the
purpose needs to be clear. Encryption is useful for more than just making
things confidential.
Jan Mikkelsen
janm@...