[ZendTo] Re: password protection

Mike Brudenell mike.brudenell at york.ac.uk
Wed Jun 27 10:26:29 BST 2012

Hi, Tamas -

On 26 June 2012 17:06, Papp Tamas <tompos at martos.bme.hu> wrote:

> Users trust in sysadmins, they have to.
> Anyway zip password is also a good idea, but it's not enough safe, not
> enough.
> I prefer server side protection.

I think we'll have to agree to differ on this one: if I were conducting
highly sensitive research using specialist data I wouldn't feel I could
leave it to someone else to encrypt for me before uploading it for
transferring to someone else.

Implementing encryption on the server side wouldn't necessarily make it any
stronger, and could actually (depending on what the SysAdmin chose to set
up) be weaker than you'd like, giving you a false sense of security. For
additional security you could look at using something like GnuPG to:

   1. Set up a public/proviate key pair, then
   2. encrypt your data using your colleague's public key, and then
   3. digitally sign it with your own private key.

Upon receipt your colleague can then:

   1. Verify that it was really you who sent it by validating the file with
   your published public key, and then
   2. decrypt it using their own private key (which only they know the
   pass-phrase to).

Yes, it's hoops to jump through but it gives them reassurance that the data
really was from yourself, and you reassurance that only they can read the
data. Gives plenty of security (but possibly overkill for what you need?).
Oh, and couldn’t be implemented server-side as it needs people's private
and public keys for the process. :-)

Mike B-)

IT Services, The University of York, Heslington, York YO10 5DD, UK
Tel: +44-1904-323811
Disclaimer: <http://www.york.ac.uk/docs/disclaimer/email.htm>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20120627/2325cb30/attachment.html 

More information about the ZendTo mailing list