> I'm not sure I agree with this analysis . . . it depends what level of
> security you are pursuing. Firstly, if you want the highest level of
> security, you could use SSL and send the client certificate by courier.
>

once you have couriered someone a key in this way - then your whole security
regime rests entirely on the trust you have of the person/people you have
couriered the key to! If you trust them in the first place, then why
encrypt. If you don't trust them at all - then don't send them the key and
don't let them have a copy of the database.
Alan