Re: Encrypted email versus HTTPS

[Scott Klement <midrange-l@xxxxxxxxxxxxxxxx>]

> Now, due to the "Full Employment for Lawyers and Auditors Act of 2002"
> (a.k.a. Sarbanes-Oxley) our main client is requiring all communications to
> be 'secure'. Without completely reworking the business procedures, I see two
> options: 1) Use PGP or S/MIME to encrypt the attachments, or 2) Email a
> 'link' to our website, challenge the user for a userid/pw and use HTTPS to
> allow the download.

Or both... :)  Use PGP or S/MIME to encrypt an e-mail that contains a 
link...

> The disadvantage of a website link such as
> "https://www.myserver.com/docs/somedocument.pdf"; is ensuring a user does not
> accidentally or purposely mangle the link and thereby retrieve someone
> else's document. Could the solution be as simple as appending a hash# to the
> document id?

Send each user a digital certificate that they can install into their 
browsers.  Companies that I've worked with will provide a CD-Rom or floppy 
disk with a "setup.exe" program that will do all the work of installing 
the client certificate into the browsers.

Then, when they make a request from your iSeries, don't give them a direct 
link to the document, but instead have a program that runs on the iSeries 
that checks for the client's digital certificate.

Depending on the certificate that it finds, return the appropriate 
document (not a link to it, just copy the document...)  This way, only a 
user with a particular certificate can get the document.

Alternately, give them a userid/password instead of using a digital 
certificate...  not quite as secure, but might be more convienient 
depending on the circumstances...