[Cryptography] How should we encrypt external mail attachments
Phillip Hallam-Baker
phill at hallambaker.com
Tue Aug 3 00:18:02 EDT 2021
On Mon, Aug 2, 2021 at 9:44 PM John Levine <johnl at iecc.com> wrote:
> It appears that Phillip Hallam-Baker <phill at hallambaker.com> said:
> >I make an extensive proposal here (see EARL section), basically it is a
> URI
> >that combines a locator and decryption key so that the EARL is a bearer
> >token for the content.
>
> I don't understand what the advantage is over a plain URL that is long
> enough
> to be hard to guess. Either way, if you have the URL you can get the file.
>
The data on the Web Host is encrypted under a key that is not available to
that Web server.
Thus the Web Host is outside the Trust Perimeter. It doesn't require a
security audit unless traffic analysis by the host is a concern.
Data can be HIPPA, GDPR, controlled etc. but can't be decrypted unless the
QR code is available.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210803/af33c286/attachment.htm>
More information about the cryptography
mailing list