> > I'm not sure I agree with this analysis . . . it depends what level of
> > security you are pursuing. Firstly, if you want the highest level of
> > security, you could use SSL and send the client certificate by courier.
> >
>
> once you have couriered someone a key in this way - then your whole

security

> regime rests entirely on the trust you have of the person/people you have
> couriered the key to! If you trust them in the first place, then why
> encrypt. If you don't trust them at all - then don't send them the key and
> don't let them have a copy of the database.
> Alan

Hi Alan

I don't follow your argument. You trust them enough to give them the public
key for accessing your data through your program. You do not give them the
private key, and you don't give them access to metadata.

So I don't see how giving someone access to the app through an SSL
certificate is placing everything in the trust of the user.

But perhaps I am misunderstanding what you are saying . . .

Lauchlan Mackinnon